bare request or response
Dick Hardt
dick at sxip.com
Thu Sep 28 02:04:14 UTC 2006
On 26-Sep-06, at 10:30 AM, Kevin Turner wrote:
> On Mon, 2006-09-25 at 14:24 -0700, Dick Hardt wrote:
>> 2) fetching signed claims (part of attribute exchange)
> [...]
>> IdP sends a fetch response to Issuer containing any attributes
>> required by Issuer, and also user identifier
>> * there was no preceding fetch request
>> Issuer sends a store request to IdP with Claim
>> * there is no matching store response
>
> I guess you could do it that way, but it seems quite peculiar. Why
> are
> you turning things inside-out in this exchange? Why "response, store"
> rather than "fetch, respond"?
A fetch does not move identity data or prove the IdP is authoritative
for the URL.
A respond message is signed by the IdP, which the Issuer cannot do.
In some scenarios, there may be a disconnect between the fetch-
response and the store-request, and there are use cases where they
make sense all by themselves (ie, logging into a site from the IdP)
We could create new messages, but I think the existing ones can be
used pretty much as is and be bare messages.
Other thoughts?
-- Dick
More information about the specs
mailing list