On 17-Oct-07, at 2:42 AM, James Henstridge wrote:

> The next question is how much information from the original OpenID
> authentication request/response can the RP expect to be included in
> the subsequent update responses.

Attribute Exchange is an OpenID extension, so a full/valid/positive  
assertion must be sent each time with an attribute exchange response.

> If the original request was for
> openid.claimed_id=http://www.jamesh.id.au/ and
> openid.identity=http://example.com/jamesh, will those values be
> included in future updates responses?

Being an extension, it is assumed that the RP has completed  
successfully the OpenID verification and has identified the user by  
the claimed_id in the positive assertion.

Therefore the RP has identified the correct user when it is  
processing the AX fetch response sent to an update_url.

> Looking at it from the other side, an OP implementer would want to
> know how much information from the request needs to be stored in order
> to satisfy future update responses.

I believe this is specified already:

"If present, the OpenID Provider may re-post the fetch response  
message to the specified URL at some time after the initial response  
has been sent, using a OpenID Authentication Positive Assertion."


specs mailing list

Reply via email to