More questions about openid.ax.update_url
Johnny Bufu
johnny at sxip.com
Wed Oct 17 19:34:13 UTC 2007
On 17-Oct-07, at 2:42 AM, James Henstridge wrote:
> The next question is how much information from the original OpenID
> authentication request/response can the RP expect to be included in
> the subsequent update responses.
Attribute Exchange is an OpenID extension, so a full/valid/positive
assertion must be sent each time with an attribute exchange response.
> If the original request was for
> openid.claimed_id=http://www.jamesh.id.au/ and
> openid.identity=http://example.com/jamesh, will those values be
> included in future updates responses?
Being an extension, it is assumed that the RP has completed
successfully the OpenID verification and has identified the user by
the claimed_id in the positive assertion.
Therefore the RP has identified the correct user when it is
processing the AX fetch response sent to an update_url.
> Looking at it from the other side, an OP implementer would want to
> know how much information from the request needs to be stored in order
> to satisfy future update responses.
I believe this is specified already:
"If present, the OpenID Provider may re-post the fetch response
message to the specified URL at some time after the initial response
has been sent, using a OpenID Authentication Positive Assertion."
Johnny
More information about the specs
mailing list