[OpenID] OpenID SREG best practice question
George Fletcher
gffletch at aol.com
Wed Nov 12 08:20:13 PST 2008
Hi,
I've been re-reading the SREG spec and I'm unsure as to the best/correct
behavior in the case that an RP asks for SREG data that the user has
already provided/consented to in the past. I see at least 3 options..
1. Should the OP (which knows the user gave consent for the requested
fields) just not return them (on the principal that the fewer times
"PII" flows over the wire the more the user's privacy is protected)?
2. Should the OP silently (meaning no UI message relating to SREG)
return the requested data if the user has given consent in the past (on
the principle that the user gave consent in the past so this data can be
returned without asking the user again).
3. Should the OP always ask the user what to do but defaulting the data
that is sent based on the previous consent? This adds a UI page to every
OpenID authentication that requests SREG data.
Has anyone else worked through these issues? Any best practices to follow?
Thanks,
George
More information about the general
mailing list