auth response: openid.identity optional, but must be signed
Johnny Bufu
johnny at sxip.com
Thu Aug 31 19:45:40 UTC 2006
Hi,
I am reading the OpenID specs, and at section "9.1 Positive
Assertions" there is:
------------
openid.identity
Value: (optional) The Identifier about which the IdP is making a
positive authentication assertion.
Note: The Identifier MAY be omitted if an extension is in use that
makes the response meaningful without it.
[...]
openid.signed
Value: Comma-separated list of signed fields.
Note: Fields without the "openid." prefix that the signature covers.
This list MUST contain at least "identity", "return_to", and "nonce".
For example, "identity,return_to,nonce".
------------
If the identity field is optional, how should it be signed? Should it
be attached to the string to be signed with null value, even when it
is not part of the response?
Thanks,
Johnny
More information about the yadis
mailing list