I'll just add that it turns out there are interesting scenarios for extensions w/o openid.identity, such as verifying membership in an organization by asking a* trusted* OP for an attribute via AX. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
On Thu, Aug 13, 2009 at 7:01 AM, James Henstridge <[email protected]>wrote: > On Thu, Aug 13, 2009 at 8:05 AM, Nat Sakimura<[email protected]> wrote: > > I blogged bout the subject here: > > http://www.sakimura.org/en/modules/wordpress/index.php?p=91 > > > > What would be the consensus here? > > My reading of the spec (and what I believe is the author's intent) is > that OpenID extensions do indeed piggyback on an authentication > request. The note about including the extension's type URI in XRDS is > a way that an OpenID provider can advertise support for the extension. > > Note that in OpenID 2.0, sending openid.identifier in an > authentication request is optional. So you could potentially use an > extension without actually authenticating as a particular user. From > section 9.1: > > """ > "openid.claimed_id" and "openid.identity" SHALL be either both present > or both absent. If neither value is present, the assertion is not > about an identifier, and will contain other information in its > payload, using extensions (Extensions). > """ > > James. > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs >
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
