auth response: openid.identity optional, but must be signed

Johnny Bufu johnny at
Thu Aug 31 19:45:40 UTC 2006


I am reading the OpenID specs, and at section "9.1 Positive  
Assertions" there is:


Value: (optional) The Identifier about which the IdP is making a  
positive authentication assertion.

Note: The Identifier MAY be omitted if an extension is in use that  
makes the response meaningful without it.



Value: Comma-separated list of signed fields.

Note: Fields without the "openid." prefix that the signature covers.  
This list MUST contain at least "identity", "return_to", and "nonce".  
For example, "identity,return_to,nonce".

If the identity field is optional, how should it be signed? Should it  
be attached to the string to be signed with null value, even when it  
is not part of the response?


More information about the yadis mailing list