The User-Agent field does not have the right semantics. I hope that field could
be used, for instance, to notice which Relying Parties are using a particular
version of Janrain’s Java library for OpenID. It is probably reasonable for
Bloglines, Google etc to identify themselves in the
On 17/10/2007, Manger, James H [EMAIL PROTECTED] wrote:
Other solutions:
OPs can offer different authentication mechanisms based on the
openid.return_to or openid.realm parameter in an authentication request.
However, the user has less flexibility when they have to relying on OPs.
If the
I have a few more questions about the update_url feature of OpenID
attribute exchange that I feel could do with answers in the
specification.
For the questions, imagine an OpenID RP with the following properties:
1. The RP provides a unified login/signup workflow, so that if a user
signs in with
On 16-Oct-07, at 7:58 PM, Manger, James H wrote:
Use case: Alice wants to use different OPs for different RPs, while
keeping the same URL (eg http://alice.example.net/). For instance,
when logging into a service hosting her backups she wants to use an
OP that requires a one-time
Hi James,
On 17-Oct-07, at 2:42 AM, James Henstridge wrote:
I have a few more questions about the update_url feature of OpenID
attribute exchange that I feel could do with answers in the
specification.
For the questions, imagine an OpenID RP with the following properties:
1. The RP
On 17-Oct-07, at 2:42 AM, James Henstridge wrote:
The next question is how much information from the original OpenID
authentication request/response can the RP expect to be included in
the subsequent update responses.
Attribute Exchange is an OpenID extension, so a full/valid/positive
On 17-Oct-07, at 2:42 AM, James Henstridge wrote:
The next one is not so much a question as an observation: As an
identity URL may change its delegation over time (possibly without the
underlying OP's knowledge), it is possible that an RP will receive
updates from an OP that is not
PAPE may be another approach (to support per-user per-RP login policies). It
certainly will not always be “cleaner”. It is not a reason against enabling a
discovery-based approach.
This PAPE suggestion requires the RP and OP to implement what the user wants. A
discovery-based approach only
My understanding is that we need to get the IPR process finalized,
then cross all the t's and dot the i's from the intellectual property
perspective for the 2.0 spec(s), and then declare 2.0 to be final.
Would be too embarrassing if we declared a spec final and then
discovered that it did