So, what is an OpenID Extension?
Nat Sakimura
sakimura at gmail.com
Thu Aug 13 15:18:21 UTC 2009
That requesting data portion cannot be in OpenID Extension, or can it?
Please have a look at http://docs.google.com/View?id=dhsz4ffx_84g7wr99g3 that
I am working on right now for CX, especially the section 4. It probably is a
stretch, but I believe is sensible. It is using AX in both direct and
indirect communication. Direct communication portion is not quite compliant
to the AX spec., but I am trying to reuse as much as I can.
=nat
On Fri, Aug 14, 2009 at 12:04 AM, Dick Hardt <Dick.Hardt at microsoft.com>wrote:
> In AX you can define any attribute you want. The attribute could be a URL
> that enables one site to request the data directly.
>
> ------------------------------
> *From:* openid-specs-bounces at lists.openid.net [
> openid-specs-bounces at lists.openid.net] on behalf of Nat Sakimura [
> sakimura at gmail.com]
> *Sent:* Thursday, August 13, 2009 8:03 AM
> *To:* James Henstridge
> *Cc:* OpenID Specs Mailing List
> *Subject:* Re: So, what is an OpenID Extension?
>
> Hmmm. So, there is no way we can do direct communication in an
> extension? What I want to do is to send the large payload directly
> between the servers and move only the reference through OpenID Authn request
> and response so that
>
> 1) mobile clients will not choke.
> 2) is going to be more secure.
>
> In AX, there is a notion of update_url, but is that also used only for
> indirect communication through browser?
>
> I feel that it is extremely limiting if we cannot do the server to server
> communication.
>
> If that is not a possibility, then I should probably do the server to
> server portion elsewhere, and just do the reference/artifact moving through
> OpenID AuthN, but that sounds like OpenID strangling itself.
>
> =nat
>
> On Thu, Aug 13, 2009 at 11:01 PM, James Henstridge <james at jamesh.id.au>wrote:
>
>> On Thu, Aug 13, 2009 at 8:05 AM, Nat Sakimura<sakimura at gmail.com> wrote:
>> > I blogged bout the subject here:
>> > http://www.sakimura.org/en/modules/wordpress/index.php?p=91
>> >
>> > What would be the consensus here?
>>
>> My reading of the spec (and what I believe is the author's intent) is
>> that OpenID extensions do indeed piggyback on an authentication
>> request. The note about including the extension's type URI in XRDS is
>> a way that an OpenID provider can advertise support for the extension.
>>
>> Note that in OpenID 2.0, sending openid.identifier in an
>> authentication request is optional. So you could potentially use an
>> extension without actually authenticating as a particular user. From
>> section 9.1:
>>
>> """
>> "openid.claimed_id" and "openid.identity" SHALL be either both present
>> or both absent. If neither value is present, the assertion is not
>> about an identifier, and will contain other information in its
>> payload, using extensions (Extensions).
>> """
>>
>> James.
>>
>
>
>
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
>
--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090814/65d2343f/attachment-0001.htm>
More information about the specs
mailing list