[step2] Re: OpenID Popup Extension - Draft 0

George Fletcher gffletch at aol.com
Mon Feb 16 21:28:23 UTC 2009


Praveen Alavilli wrote:
>
>
> On Mon, Feb 16, 2009 at 12:11 PM, George Fletcher <gffletch at aol.com 
> <mailto:gffletch at aol.com>> wrote:
>
>     >
>     > Are you proposing to send images on unsigned requests from unknown
>     > sources and have the OP dynamically include it in images show to
>     > end-users?
>     Argh... yes, that is what I was suggesting but I forgot that OpenID RP
>     requests are not signed. Not sure why they aren't signed if an
>     association has been made... but as that's not part of the spec
>     it's not
>     a solution.
>
>     I still believe this is an important feature, and was hoping to avoid
>     out-of-band provisioning as that makes this feature OP specific
>     and RP's
>     may have to do different things to work with different OPs. But maybe
>     that's the only solution right now:(
>
>     Maybe the OpenID 2.1 WG could take on "signed RP authn requests" :)
>     Could probably just leverage 2-legged OAuth with the consumer
>     token:secret representing the RP.
>
>     Thanks,
>     George
>
> Do you think a dynamic image is necessary for a popup that changes 
> based on a given context ? Since it's a popup - it's sitting on top of 
> the original window anyway.
No, I was thinking more "static to the RP". So your "static (ssl) image 
url" would work fine.
>  
> It would be great if we support exchanging a static (ssl) image url 
> during association though - so it can be used similar to the way 
> FBConnect presents the information flow between OP and RP.
I think we could make something work with associations in the short term 
(though my preference would be something like Allen's suggestion of 
using OAuth signatures and Consumer Keys), but I'm not sure they're 
optimal for this going forward.

Thanks,
George
>  
>  
> - Praveen
>  
>
> --~--~---------~--~----~------------~-------~--~----~
> You received this message because you are subscribed to the Google 
> Groups "Step2" group.
> To post to this group, send email to step2 at googlegroups.com
> To unsubscribe from this group, send email to 
> step2+unsubscribe at googlegroups.com
> For more options, visit this group at 
> http://groups.google.com/group/step2?hl=en
> -~----------~----~----~----~------~----~------~--~---
>



More information about the user-experience mailing list