That requesting data portion cannot be in OpenID Extension, or can it? <div><br></div><div>Please have a look at <span class="Apple-style-span" style="font-family: Arial, 'Sans serif'; font-size: 12px; "><a id="publishedDocumentUrl" class="tabcontent" target="_blank" href="http://docs.google.com/View?id=dhsz4ffx_84g7wr99g3" style="color: rgb(17, 42, 187); font-family: Arial, sans-serif; font-size: 12px !important; ">http://docs.google.com/View?id=dhsz4ffx_84g7wr99g3</a> that I am working on right now for CX, especially the section 4. It probably is a stretch, but I believe is sensible. It is using AX in both direct and indirect communication. Direct communication portion is not quite compliant to the AX spec., but I am trying to reuse as much as I can. </span></div>
<div><font class="Apple-style-span" face="Arial, 'Sans serif'" size="3"><span class="Apple-style-span" style="font-size: 12px;"><br></span></font></div><div><font class="Apple-style-span" face="Arial, 'Sans serif'" size="3"><span class="Apple-style-span" style="font-size: 12px;">=nat<br>
</span></font><br><div class="gmail_quote">On Fri, Aug 14, 2009 at 12:04 AM, Dick Hardt <span dir="ltr"><<a href="mailto:Dick.Hardt@microsoft.com">Dick.Hardt@microsoft.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div>
<div style="direction:ltr;font-family:Tahoma;color:rgb(0, 0, 0);font-size:13px">
<div>In AX you can define any attribute you want. The attribute could be a URL that enables one site to request the data directly.<br>
<br>
</div>
<div style="font-family:Times New Roman;color:rgb(0, 0, 0);font-size:16px">
<hr>
<div style="direction:ltr"><font color="#000000" face="Tahoma" size="2"><b>From:</b> <a href="mailto:openid-specs-bounces@lists.openid.net" target="_blank">openid-specs-bounces@lists.openid.net</a> [<a href="mailto:openid-specs-bounces@lists.openid.net" target="_blank">openid-specs-bounces@lists.openid.net</a>] on behalf of Nat Sakimura [<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>]<br>
<b>Sent:</b> Thursday, August 13, 2009 8:03 AM<br>
<b>To:</b> James Henstridge<br>
<b>Cc:</b> OpenID Specs Mailing List<br>
<b>Subject:</b> Re: So, what is an OpenID Extension?<br>
</font><br>
</div><div><div></div><div class="h5">
<div></div>
<div>Hmmm. So, there is no way we can do direct communication in an extension?
<div>What I want to do is to send the large payload directly between the servers and move only the reference through OpenID Authn request and response so that </div>
<div><br>
</div>
<div>1) mobile clients will not choke. </div>
<div>2) is going to be more secure. </div>
<div><br>
</div>
<div>In AX, there is a notion of update_url, but is that also used only for indirect communication through browser? </div>
<div><br>
</div>
<div>I feel that it is extremely limiting if we cannot do the server to server communication. </div>
<div><br>
</div>
<div>If that is not a possibility, then I should probably do the server to server portion elsewhere, and just do the reference/artifact moving through OpenID AuthN, but that sounds like OpenID strangling itself. </div>
<div><br>
</div>
<div>=nat<br>
<br>
<div class="gmail_quote">On Thu, Aug 13, 2009 at 11:01 PM, James Henstridge <span dir="ltr">
<<a href="mailto:james@jamesh.id.au" target="_blank">james@jamesh.id.au</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">
<div>On Thu, Aug 13, 2009 at 8:05 AM, Nat Sakimura<<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>> wrote:<br>
> I blogged bout the subject here:<br>
> <a href="http://www.sakimura.org/en/modules/wordpress/index.php?p=91" target="_blank">
http://www.sakimura.org/en/modules/wordpress/index.php?p=91</a><br>
><br>
> What would be the consensus here?<br>
<br>
</div>
My reading of the spec (and what I believe is the author's intent) is<br>
that OpenID extensions do indeed piggyback on an authentication<br>
request. The note about including the extension's type URI in XRDS is<br>
a way that an OpenID provider can advertise support for the extension.<br>
<br>
Note that in OpenID 2.0, sending openid.identifier in an<br>
authentication request is optional. So you could potentially use an<br>
extension without actually authenticating as a particular user. From<br>
section 9.1:<br>
<br>
"""<br>
"openid.claimed_id" and "openid.identity" SHALL be either both present<br>
or both absent. If neither value is present, the assertion is not<br>
about an identifier, and will contain other information in its<br>
payload, using extensions (Extensions).<br>
"""<br>
<font color="#888888"><br>
James.<br>
</font></blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
Nat Sakimura (=nat)<br>
<a href="http://www.sakimura.org/en/" target="_blank">http://www.sakimura.org/en/</a><br>
</div>
</div>
</div></div></div>
</div>
</div>
</blockquote></div><br><br clear="all"><br>-- <br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a><br>
</div>