[step2] Re: OpenID Popup Extension - Draft 0

Praveen Alavilli praveen.alavilli at gmail.com
Mon Feb 16 20:25:32 UTC 2009


On Mon, Feb 16, 2009 at 12:11 PM, George Fletcher <gffletch at aol.com> wrote:

> >
> > Are you proposing to send images on unsigned requests from unknown
> > sources and have the OP dynamically include it in images show to
> > end-users?
> Argh... yes, that is what I was suggesting but I forgot that OpenID RP
> requests are not signed. Not sure why they aren't signed if an
> association has been made... but as that's not part of the spec it's not
> a solution.
>
> I still believe this is an important feature, and was hoping to avoid
> out-of-band provisioning as that makes this feature OP specific and RP's
> may have to do different things to work with different OPs. But maybe
> that's the only solution right now:(
>
> Maybe the OpenID 2.1 WG could take on "signed RP authn requests" :)
> Could probably just leverage 2-legged OAuth with the consumer
> token:secret representing the RP.
>
> Thanks,
> George
>
> Do you think a dynamic image is necessary for a popup that changes based on
a given context ? Since it's a popup - it's sitting on top of the original
window anyway.

It would be great if we support exchanging a static (ssl) image url during
association though - so it can be used similar to the way FBConnect presents
the information flow between OP and RP.


- Praveen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090216/5b15a580/attachment-0002.htm>


More information about the user-experience mailing list