Yahoo available AX attrs - backchannel/endpoint URLs
Peter Watkins
peterw at tux.org
Tue Dec 8 18:57:29 UTC 2009
On Tue, Dec 08, 2009 at 10:32:12AM -0800, John Panzer wrote:
> provide to RPs. If you send an endpoint URL to the RP instead of the
> information itself, the RP can then retrieve it via a backchannel (and cache
> it). If you have private data, use a capability URL with a token that
> allows read-only access.
Exactly. OpenID requests and responses are very chatty, and backchannel
URLs could be an easy way to get around the 2k GET limit (the cost of
course being additional time needed to make the additional HTTP requests).
I don't see any reason for backchannel URLs to be requested multiple times,
so in addition to a request or response using strongly random nonces in
the backchannel URLs, the backchannel URLs should be very short-lived,
probably each side "SHOULD" allow a URL to be requested only once, and
throw a 403/404 for subsequent requests.
Is there any draft of AX using backchannel URLs?
-Peter
More information about the specs
mailing list