OpenID extensions must be carried by indirect messages (through the browser). If you're looking for ways for server-to-server communication to get attributes, I suggest you look at OAuth. Specifically perhaps the OpenID+OAuth extension, which could enable the RP to send the request directly to the OP for these large payloads you're talking about. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
On Thu, Aug 13, 2009 at 8:03 AM, Nat Sakimura <[email protected]> wrote: > Hmmm. So, there is no way we can do direct communication in an extension? What > I want to do is to send the large payload directly between the servers and > move only the reference through OpenID Authn request and response so that > > 1) mobile clients will not choke. > 2) is going to be more secure. > > In AX, there is a notion of update_url, but is that also used only for > indirect communication through browser? > > I feel that it is extremely limiting if we cannot do the server to server > communication. > > If that is not a possibility, then I should probably do the server to > server portion elsewhere, and just do the reference/artifact moving through > OpenID AuthN, but that sounds like OpenID strangling itself. > > =nat > > On Thu, Aug 13, 2009 at 11:01 PM, James Henstridge <[email protected]>wrote: > >> On Thu, Aug 13, 2009 at 8:05 AM, Nat Sakimura<[email protected]> wrote: >> > I blogged bout the subject here: >> > http://www.sakimura.org/en/modules/wordpress/index.php?p=91 >> > >> > What would be the consensus here? >> >> My reading of the spec (and what I believe is the author's intent) is >> that OpenID extensions do indeed piggyback on an authentication >> request. The note about including the extension's type URI in XRDS is >> a way that an OpenID provider can advertise support for the extension. >> >> Note that in OpenID 2.0, sending openid.identifier in an >> authentication request is optional. So you could potentially use an >> extension without actually authenticating as a particular user. From >> section 9.1: >> >> """ >> "openid.claimed_id" and "openid.identity" SHALL be either both present >> or both absent. If neither value is present, the assertion is not >> about an identifier, and will contain other information in its >> payload, using extensions (Extensions). >> """ >> >> James. >> > > > > -- > Nat Sakimura (=nat) > http://www.sakimura.org/en/ > > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs > >
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
