bare request or response
Dick Hardt
dick at sxip.com
Mon Sep 25 21:24:03 UTC 2006
Use Case
There are number of situations where there may be only half of an
OpenID exchange:
1) login initiated at IdP.
Since the IdP has a list of sites you have logged into, you could
log into your IdP and then click a link to login to an RP. Since the
RP would not have initiated the transaction, this would be a bare
response message that the RP could still verify.
2) fetching signed claims (part of attribute exchange)
An RP may want a signed claim that the IdP does not have, but can
send the user to the claim Issuer to retrieve.
RP sends fetch request to IdP
IdP does not have claim, but knows where to send the user, and asks
user if they want to get claim, user accepts
IdP sends a fetch response to Issuer containing any attributes
required by Issuer, and also user identifier
* there was no preceding fetch request
Issuer sends a store request to IdP with Claim
* there is no matching store response
IdP completes original fetch request with fetch response containing
Claim
In this use case, there is a requirement for a bare fetch response,
and a bare store request
Does anyone have an issue with these being valid? All responses would
be able to be verified per the protocol, and since there is no nonce
from the RP currently, the RP should be able to accept . For
requests, if there is no openid.return_to, then the IdP would not
return.
-- Dick
More information about the specs
mailing list