Is this "indirectness" a philosophy or just a description of the current state? It is not only me who wants to do artifact binding, and it is much simpler than doing both OpenID and OAuth.
=nat On Fri, Aug 14, 2009 at 12:39 AM, Andrew Arnott <[email protected]>wrote: > OpenID extensions must be carried by indirect messages (through the > browser). If you're looking for ways for server-to-server communication to > get attributes, I suggest you look at OAuth. Specifically perhaps the > OpenID+OAuth extension, which could enable the RP to send the request > directly to the OP for these large payloads you're talking about. > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre > > > On Thu, Aug 13, 2009 at 8:03 AM, Nat Sakimura <[email protected]> wrote: > >> Hmmm. So, there is no way we can do direct communication in an extension? >> What >> I want to do is to send the large payload directly between the servers and >> move only the reference through OpenID Authn request and response so that >> >> 1) mobile clients will not choke. >> 2) is going to be more secure. >> >> In AX, there is a notion of update_url, but is that also used only for >> indirect communication through browser? >> >> I feel that it is extremely limiting if we cannot do the server to server >> communication. >> >> If that is not a possibility, then I should probably do the server to >> server portion elsewhere, and just do the reference/artifact moving through >> OpenID AuthN, but that sounds like OpenID strangling itself. >> >> =nat >> >> On Thu, Aug 13, 2009 at 11:01 PM, James Henstridge <[email protected]>wrote: >> >>> On Thu, Aug 13, 2009 at 8:05 AM, Nat Sakimura<[email protected]> wrote: >>> > I blogged bout the subject here: >>> > http://www.sakimura.org/en/modules/wordpress/index.php?p=91 >>> > >>> > What would be the consensus here? >>> >>> My reading of the spec (and what I believe is the author's intent) is >>> that OpenID extensions do indeed piggyback on an authentication >>> request. The note about including the extension's type URI in XRDS is >>> a way that an OpenID provider can advertise support for the extension. >>> >>> Note that in OpenID 2.0, sending openid.identifier in an >>> authentication request is optional. So you could potentially use an >>> extension without actually authenticating as a particular user. From >>> section 9.1: >>> >>> """ >>> "openid.claimed_id" and "openid.identity" SHALL be either both present >>> or both absent. If neither value is present, the assertion is not >>> about an identifier, and will contain other information in its >>> payload, using extensions (Extensions). >>> """ >>> >>> James. >>> >> >> >> >> -- >> Nat Sakimura (=nat) >> http://www.sakimura.org/en/ >> >> _______________________________________________ >> specs mailing list >> [email protected] >> http://lists.openid.net/mailman/listinfo/openid-specs >> >> > -- Nat Sakimura (=nat) http://www.sakimura.org/en/
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
