[replying to myself]

On 10/07/07, James Henstridge <[EMAIL PROTECTED]> wrote:
> The only real constraint the authentication spec places on the RP is
> that it maintain the association for the duration of an OpenID
> authentication request.
> With unsolicited response though, there is no prior request that tells
> us the RP is holding a particular association _right now_.

I just realised another difference when working with unsolicited responses.

With a normal OpenID authentication request the RP picks an
association handle, so we know the RP believes it is valid.  However,
the OP can use a private association handle in the response if it
considers the handle from the request to be invalid.  So the OpenID
authentication spec does not seem to require either the RP or OP to
store an association for longer than ~ one request.

In contrast, if a previously established association is used in an
unsolicited response there doesn't seem to be any way the RP can tell
the OP that it has lost the handle.

Given that there doesn't seem to be any way to recover from this
situation, it seems like private associations are the only sane option
for unsolicited responses.

specs mailing list

Reply via email to