Allowing sites to renew information

Dick Hardt dick at
Thu Sep 28 01:52:48 UTC 2006

On 26-Sep-06, at 3:58 PM, Recordon, David wrote:

> I think that is slightly different from what Gerv was referring to.
> With Simple Registration, there is nothing stopping a relying party  
> from
> requesting the email address with every authentication request.  Most
> implementations however don't seem to do this, rather only request  
> data
> if they don't have it.
> In a sense, I think there are two schools of thought:
> 1) IdP pushes new data to each RP
> 2) Each RP pulls new data in each authentication request

OpenID AX supports both. The RP can decide how it wants to work. If  
it supplies an update_url, then it hopefully get changes pushed by  
the IdP. This is likely best for sites that you would visit  
infrequently. Eg. signing up for a magazine subscription.

Sites that want accurate data for each transaction will likely  
request the data on each authentication request. Since the RP does  
not know if it has the user's data until it knows the user, it is  
likely easier to ask for the data each time assuming it is not a  
massive amount of data.

Others think the RP should be able to request the data without the  
user is present. Time will tell if that is a viable model.

Agree that the specs should not dictate a particular way.

Gerv: did this address your use case?

-- Dick

More information about the specs mailing list