<div dir="ltr">I agree the spec doesn't spell out the scenario of an unsolicited assertion, but it seems to me that an RP implementing the full spec must handle the unsolicited assertion scenario at least somewhat because section 11.2 tells what the RP must do. And unless the RP does something to break it by adding dependencies on return_to parameters, for example, it ought to work implicitly as a result of following the spec as far as I understand it.<br>
<br><div class="gmail_quote">On Wed, Sep 17, 2008 at 8:01 AM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
It's not obvious that it really does, Andrew.<br>
<br>
I tested the validity of this very feature when doing formal due diligence on OpenID, the open code, and dominant providers. (I had to see where openid technology fits on the security scale, to get passed the evangelism pitches.)<br>
<br>
It was very ambiguous what the intent of the unsolicited assertion messages were, and what a conforming flow would be. I came to the conclusion that its intent was very limited, and related to AX update. But, even that conclusion was tenuous.<br>
<div><div></div><div class="Wj3C7c"><br>
<br>
-----Original Message-----<br>
From: <a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a> [mailto:<a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a>] On Behalf Of Andrew Arnott<br>
Sent: Wednesday, September 17, 2008 7:06 AM<br>
To: hulixin<br>
Cc: <a href="mailto:general@openid.net">general@openid.net</a><br>
Subject: Re: [OpenID] Can all Relying Party accept OpenID Provider's<br>
<br>
Why do you say it doesn't? In fact it does.<br>
<br>
Sent from my iPhone<br>
<br>
On Sep 16, 2008, at 11:38 PM, hulixin <<a href="mailto:hulixin@huawei.com">hulixin@huawei.com</a>> wrote:<br>
<br>
> think you very much.<br>
> I will supports unsolicited assertions too.<br>
> Do you know why < OpenID Authentication 2.0 - Final >do not include<br>
> this<br>
> case.<br>
> Is it safe?<br>
><br>
> ________________________________<br>
><br>
> 发件人: Andrew Arnott [mailto:<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>]<br>
> 发送时间: 2008年9月17日 12:28<br>
> 收件人: hulixin<br>
> 抄送: <a href="mailto:general@openid.net">general@openid.net</a><br>
> 主题: Re: [OpenID] Can all Relying Party accept OpenID Provider's<br>
><br>
><br>
> I know DotNetOpenId supports unsolicited assertions on both sides as<br>
> you<br>
> describe.<br>
><br>
> Sent from my iPhone<br>
><br>
> On Sep 16, 2008, at 9:05 PM, hulixin <<a href="mailto:hulixin@huawei.com">hulixin@huawei.com</a>> wrote:<br>
><br>
><br>
><br>
> Thank you for your answer!<br>
><br>
> Can all Relying Party accept OpenID Provider's Responding without<br>
> Requesting Authentication?<br>
><br>
> It means: User login in OpenID Provider directly ,instead of<br>
> Relying<br>
> Party redirect user from Relying Party to OpenID Provider.After<br>
> user login<br>
> in OpenID Provider,User want to an Relying Party,Can OpenID Provider<br>
> generate a url for user login into Relying Party, if user click this<br>
> url,Relying Party will accept this user login.user need not input<br>
> OpenID in<br>
> Relying Party. Relying Party do not send a Requesting<br>
> Authentication to<br>
> OpenID<br>
><br>
> Provider ,OpenID Provider will send a Responding to Relying Party.<br>
><br>
> It is good for relying party , because OpenID Provider can<br>
> bring pageview to Relying Party.<br>
><br>
> User login Facebook ,then User go to application ,Facebook bring<br>
> pageview to application.<br>
><br>
> Did OpenId Provider can bring pageview to Relying Party.<br>
><br>
> I think some user will like to login in OpenId Provider every day<br>
> ,then go to some Relying Party he like to go and have gone before.<br>
><br>
> _______________________________________________<br>
> general mailing list<br>
> <a href="mailto:general@openid.net">general@openid.net</a><br>
> <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
><br>
><br>
><br>
><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br></div>