Hmmm. So, there is no way we can do direct communication in an extension? What I want to do is to send the large payload directly between the servers and move only the reference through OpenID Authn request and response so that
1) mobile clients will not choke. 2) is going to be more secure. In AX, there is a notion of update_url, but is that also used only for indirect communication through browser? I feel that it is extremely limiting if we cannot do the server to server communication. If that is not a possibility, then I should probably do the server to server portion elsewhere, and just do the reference/artifact moving through OpenID AuthN, but that sounds like OpenID strangling itself. =nat On Thu, Aug 13, 2009 at 11:01 PM, James Henstridge <[email protected]>wrote: > On Thu, Aug 13, 2009 at 8:05 AM, Nat Sakimura<[email protected]> wrote: > > I blogged bout the subject here: > > http://www.sakimura.org/en/modules/wordpress/index.php?p=91 > > > > What would be the consensus here? > > My reading of the spec (and what I believe is the author's intent) is > that OpenID extensions do indeed piggyback on an authentication > request. The note about including the extension's type URI in XRDS is > a way that an OpenID provider can advertise support for the extension. > > Note that in OpenID 2.0, sending openid.identifier in an > authentication request is optional. So you could potentially use an > extension without actually authenticating as a particular user. From > section 9.1: > > """ > "openid.claimed_id" and "openid.identity" SHALL be either both present > or both absent. If neither value is present, the assertion is not > about an identifier, and will contain other information in its > payload, using extensions (Extensions). > """ > > James. > -- Nat Sakimura (=nat) http://www.sakimura.org/en/
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
