That requesting data portion cannot be in OpenID Extension, or can it? Please have a look at http://docs.google.com/View?id=dhsz4ffx_84g7wr99g3 that I am working on right now for CX, especially the section 4. It probably is a stretch, but I believe is sensible. It is using AX in both direct and indirect communication. Direct communication portion is not quite compliant to the AX spec., but I am trying to reuse as much as I can.
=nat On Fri, Aug 14, 2009 at 12:04 AM, Dick Hardt <[email protected]>wrote: > In AX you can define any attribute you want. The attribute could be a URL > that enables one site to request the data directly. > > ------------------------------ > *From:* [email protected] [ > [email protected]] on behalf of Nat Sakimura [ > [email protected]] > *Sent:* Thursday, August 13, 2009 8:03 AM > *To:* James Henstridge > *Cc:* OpenID Specs Mailing List > *Subject:* Re: So, what is an OpenID Extension? > > Hmmm. So, there is no way we can do direct communication in an > extension? What I want to do is to send the large payload directly > between the servers and move only the reference through OpenID Authn request > and response so that > > 1) mobile clients will not choke. > 2) is going to be more secure. > > In AX, there is a notion of update_url, but is that also used only for > indirect communication through browser? > > I feel that it is extremely limiting if we cannot do the server to server > communication. > > If that is not a possibility, then I should probably do the server to > server portion elsewhere, and just do the reference/artifact moving through > OpenID AuthN, but that sounds like OpenID strangling itself. > > =nat > > On Thu, Aug 13, 2009 at 11:01 PM, James Henstridge <[email protected]>wrote: > >> On Thu, Aug 13, 2009 at 8:05 AM, Nat Sakimura<[email protected]> wrote: >> > I blogged bout the subject here: >> > http://www.sakimura.org/en/modules/wordpress/index.php?p=91 >> > >> > What would be the consensus here? >> >> My reading of the spec (and what I believe is the author's intent) is >> that OpenID extensions do indeed piggyback on an authentication >> request. The note about including the extension's type URI in XRDS is >> a way that an OpenID provider can advertise support for the extension. >> >> Note that in OpenID 2.0, sending openid.identifier in an >> authentication request is optional. So you could potentially use an >> extension without actually authenticating as a particular user. From >> section 9.1: >> >> """ >> "openid.claimed_id" and "openid.identity" SHALL be either both present >> or both absent. If neither value is present, the assertion is not >> about an identifier, and will contain other information in its >> payload, using extensions (Extensions). >> """ >> >> James. >> > > > > -- > Nat Sakimura (=nat) > http://www.sakimura.org/en/ > -- Nat Sakimura (=nat) http://www.sakimura.org/en/
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
