[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [Fwd: Re: OpenID Mobile Profile?]
FYI, the OpenID folks are contemplating an artifact mechanism to deal
with mobile client limitations|
The design proposed below treats the request and response messages asymmetrically, seemingly optimized for 'RP behind firewall' ....
-------- Original Message --------
Now, as to the mobile/artifact mode, I kind of feel that it probably is better to establish a second channel.
So, the flow is like:
1. RP constract a request string as usual (including ones for the various extensions -- means it could be fairly long.)
2. RP posts this to the OP's artifact mode endpoint published in OP's XRD.
3. OP issues a nonce as an "artifact" or "ticket".
4. RP redirects the browser with this artifact.
5. OP, receiving this artifact, reconstructs the OpenID message from the
post received in step 2 above.
6. Credentail presentation etc. happens as usual, and OP verifies the user's identity.
7. OP creates a positive response and stores it with the artifact as the key.
8. OP redirects the browser with the artifact to the RP.
9. RP fetches the response created in 7. and examines it to authorize the access.
Nice thing about this is that it probalby is going to be a very little code addition to the current libraries.
The difference between this flow and the SAML artifact binding is that in case of SAML, the artifact/ticket is created by the RP and OP goes and fetch the request from RP. I chose this design because RP can be inside the firewall when OP is on the internet which is a more likely use case for OpenID.
On Sat, Jan 31, 2009 at 3:21 AM, Johannes Ernst <email@example.com> wrote:
Nat Sakimura (=nat)
_______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs
No virus found in this incoming message. Checked by AVG. Version: 7.5.552 / Virus Database: 270.10.16/1925 - Release Date: 30/01/2009 7:37 AM