Yahoo available AX attrs - backchannel/endpoint URLs

Breno de Medeiros breno at google.com
Tue Dec 8 19:08:29 UTC 2009 

On Tue, Dec 8, 2009 at 11:01 AM, John Panzer <jpanzer at google.com> wrote:
> For "one-time" URLs, you'd probably want to allow for retries for a short
> period (or just allow it to be accessed for say 5m) which would have
> approximately the same level of protection.
> You could also imagine long-lived capabilities along the lines of OAuth
> tokens that allow RPs to repeatedly refresh the data as needed.  (Better of
> course if they can subscribe to changes, but that's an implementation detail
> and definitely a separate spec.)
> Given that AX already supports requesting URL-valued data (e.g., profile
> photos) I think this just comes down to defining a fairly complicated data
> type for AX and passing a URL around.

A more lightweight alternative is to adopt an 'artifact' mode where
most of the OpenID assertion (request and response) can be passed in
the backchannel. That is a bit more difficult to implement but easier
to spec (because the existing URLs can be used) and more general
(compacts all extensions, not only AX).

> --
> John Panzer / Google
> jpanzer at google.com / abstractioneer.org / @jpanzer
>
>
>
> On Tue, Dec 8, 2009 at 10:57 AM, Peter Watkins <peterw at tux.org> wrote:
>>
>> On Tue, Dec 08, 2009 at 10:32:12AM -0800, John Panzer wrote:
>>
>> > provide to RPs.  If you send an endpoint URL to the RP instead of the
>> > information itself, the RP can then retrieve it via a backchannel (and
>> > cache
>> > it).  If you have private data, use a capability URL with a token that
>> > allows read-only access.
>>
>> Exactly. OpenID requests and responses are very chatty, and backchannel
>> URLs could be an easy way to get around the 2k GET limit (the cost of
>> course being additional time needed to make the additional HTTP requests).
>>
>> I don't see any reason for backchannel URLs to be requested multiple
>> times,
>> so in addition to a request or response using strongly random nonces in
>> the backchannel URLs, the backchannel URLs should be very short-lived,
>> probably each side "SHOULD" allow a URL to be requested only once, and
>> throw a 403/404 for subsequent requests.
>>
>> Is there any draft of AX using backchannel URLs?
>>
>> -Peter
>
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

More information about the specs mailing list