On Thu, Aug 13, 2009 at 8:05 AM, Nat Sakimura<[email protected]> wrote: > I blogged bout the subject here: > http://www.sakimura.org/en/modules/wordpress/index.php?p=91 > > What would be the consensus here?
My reading of the spec (and what I believe is the author's intent) is that OpenID extensions do indeed piggyback on an authentication request. The note about including the extension's type URI in XRDS is a way that an OpenID provider can advertise support for the extension. Note that in OpenID 2.0, sending openid.identifier in an authentication request is optional. So you could potentially use an extension without actually authenticating as a particular user. From section 9.1: """ "openid.claimed_id" and "openid.identity" SHALL be either both present or both absent. If neither value is present, the assertion is not about an identifier, and will contain other information in its payload, using extensions (Extensions). """ James. _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
