On 17-Oct-07, at 2:42 AM, James Henstridge wrote: > The next question is how much information from the original OpenID > authentication request/response can the RP expect to be included in > the subsequent update responses.
Attribute Exchange is an OpenID extension, so a full/valid/positive assertion must be sent each time with an attribute exchange response. > If the original request was for > openid.claimed_id=http://www.jamesh.id.au/ and > openid.identity=http://example.com/jamesh, will those values be > included in future updates responses? Being an extension, it is assumed that the RP has completed successfully the OpenID verification and has identified the user by the claimed_id in the positive assertion. Therefore the RP has identified the correct user when it is processing the AX fetch response sent to an update_url. > Looking at it from the other side, an OP implementer would want to > know how much information from the request needs to be stored in order > to satisfy future update responses. I believe this is specified already: "If present, the OpenID Provider may re-post the fetch response message to the specified URL at some time after the initial response has been sent, using a OpenID Authentication Positive Assertion." Johnny _______________________________________________ specs mailing list email@example.com http://openid.net/mailman/listinfo/specs