bare request or response

Dick Hardt dick at
Mon Sep 25 21:24:03 UTC 2006

Use Case

There are number of situations where there may be only half of an  
OpenID exchange:

1) login initiated at IdP.
	Since the IdP has a list of sites you have logged into, you could  
log into your IdP and then click a link to login to an RP. Since the  
RP would not have initiated the transaction, this would be a bare  
response message that the RP could still verify.

2) fetching signed claims (part of attribute exchange)
	An RP may want a signed claim that the IdP does not have, but can  
send the user to the claim Issuer to retrieve.
	RP sends fetch request to IdP
	IdP does not have claim, but knows where to send the user, and asks  
user if they want to get claim, user accepts
	IdP sends a fetch response to Issuer containing any attributes  
required by Issuer, and also user identifier
		* there was no preceding fetch request
	Issuer sends a store request to IdP with Claim
		* there is no matching store response
	IdP completes original fetch request with fetch response containing  

In this use case, there is a requirement for a bare fetch response,  
and a bare store request

Does anyone have an issue with these being valid? All responses would  
be able to be verified per the protocol, and since there is no nonce  
from the RP currently, the RP should be able to accept . For  
requests, if there is no openid.return_to, then the IdP would not  

-- Dick

More information about the specs mailing list