<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head><title>Draft: OpenID Information Cards 1.0 - Draft 01</title>
<meta http-equiv="Expires" content="Fri, 10 Aug 2007 22:14:57 +0000">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="description" content="OpenID Information Cards 1.0 - Draft 01">
<meta name="generator" content="xml2rfc v1.31 (http://xml.resource.org/)">
<style type='text/css'><!--
        body {
                font-family: verdana, charcoal, helvetica, arial, sans-serif;
                font-size: small; color: #000; background-color: #FFF;
                margin: 2em;
        }
        h1, h2, h3, h4, h5, h6 {
                font-family: helvetica, monaco, "MS Sans Serif", arial, sans-serif;
                font-weight: bold; font-style: normal;
        }
        h1 { color: #900; background-color: transparent; text-align: right; }
        h3 { color: #333; background-color: transparent; }

        td.RFCbug {
                font-size: x-small; text-decoration: none;
                width: 30px; height: 30px; padding-top: 2px;
                text-align: justify; vertical-align: middle;
                background-color: #000;
        }
        td.RFCbug span.RFC {
                font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
                font-weight: bold; color: #666;
        }
        td.RFCbug span.hotText {
                font-family: charcoal, monaco, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
                font-weight: normal; text-align: center; color: #FFF;
        }

        table.TOCbug { width: 30px; height: 15px; }
        td.TOCbug {
                text-align: center; width: 30px; height: 15px;
                color: #FFF; background-color: #900;
        }
        td.TOCbug a {
                font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, sans-serif;
                font-weight: bold; font-size: x-small; text-decoration: none;
                color: #FFF; background-color: transparent;
        }

        td.header {
                font-family: arial, helvetica, sans-serif; font-size: x-small;
                vertical-align: top; width: 33%;
                color: #FFF; background-color: #666;
        }
        td.author { font-weight: bold; font-size: x-small; margin-left: 4em; }
        td.author-text { font-size: x-small; }

        /* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
        a.info {
                /* This is the key. */
                position: relative;
                z-index: 24;
                text-decoration: none;
        }
        a.info:hover {
                z-index: 25;
                color: #FFF; background-color: #900;
        }
        a.info span { display: none; }
        a.info:hover span.info {
                /* The span will display just on :hover state. */
                display: block;
                position: absolute;
                font-size: smaller;
                top: 2em; left: -5em; width: 15em;
                padding: 2px; border: 1px solid #333;
                color: #900; background-color: #EEE;
                text-align: left;
        }

        a { font-weight: bold; }
        a:link    { color: #900; background-color: transparent; }
        a:visited { color: #633; background-color: transparent; }
        a:active  { color: #633; background-color: transparent; }

        p { margin-left: 2em; margin-right: 2em; }
        p.copyright { font-size: x-small; }
        p.toc { font-size: small; font-weight: bold; margin-left: 3em; }
        table.toc { margin: 0 0 0 3em; padding: 0; border: 0; vertical-align: text-top; }
        td.toc { font-size: small; font-weight: bold; vertical-align: text-top; }

        ol.text { margin-left: 2em; margin-right: 2em; }
        ul.text { margin-left: 2em; margin-right: 2em; }
        li      { margin-left: 3em; }

        /* RFC-2629 <spanx>s and <artwork>s. */
        em     { font-style: italic; }
        strong { font-weight: bold; }
        dfn    { font-weight: bold; font-style: normal; }
        cite   { font-weight: normal; font-style: normal; }
        tt     { color: #036; }
        tt, pre, pre dfn, pre em, pre cite, pre span {
                font-family: "Courier New", Courier, monospace; font-size: small;
        }
        pre {
                text-align: left; padding: 4px;
                color: #000; background-color: #CCC;
        }
        pre dfn  { color: #900; }
        pre em   { color: #66F; background-color: #FFC; font-weight: normal; }
        pre .key { color: #33C; font-weight: bold; }
        pre .id  { color: #900; }
        pre .str { color: #000; background-color: #CFF; }
        pre .val { color: #066; }
        pre .rep { color: #909; }
        pre .oth { color: #000; background-color: #FCF; }
        pre .err { background-color: #FCC; }

        /* RFC-2629 <texttable>s. */
        table.full, table.headers, table.none {
                font-size: small; text-align: center; border-width: 2px;
                vertical-align: top; border-collapse: collapse;
        }
        table.full { border-style: solid; border-color: black; }
        table.headers, table.none { border-style: none; }
        th {
                font-weight: bold; border-color: black;
                border-width: 2px 2px 3px 2px;
        }
        table.full th { border-style: solid; }
        table.headers th { border-style: none none solid none; }
        table.none th { border-style: none; }
        table.full td {
                border-style: solid; border-color: #333;
                border-width: 1px 2px;
        }
        table.headers td, table.none td { border-style: none; }

        hr { height: 1px; }
        hr.insert {
                width: 80%; border-style: none; border-width: 0;
                color: #CCC; background-color: #CCC;
        }
--></style>
</head>
<body>
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<table summary="layout" width="66%" border="0" cellpadding="0" cellspacing="0"><tr><td><table summary="layout" width="100%" border="0" cellpadding="2" cellspacing="1">
<tr><td class="header">Draft</td><td class="header">D. Hardt</td></tr>
<tr><td class="header">&nbsp;</td><td class="header">J. Bufu</td></tr>
<tr><td class="header">&nbsp;</td><td class="header">Sxip Identity</td></tr>
<tr><td class="header">&nbsp;</td><td class="header">August 10, 2007</td></tr>
</table></td></tr></table>
<h1><br />OpenID Information Cards 1.0 - Draft 01</h1>

<h3>Abstract</h3>

<p>
        This document defines a method of performing OpenID
        Authentication using Information Cards for transferring
        OpenID claims from an Information Card-enabled OpenID Provider
        to an Information Card-enabled OpenID Relying Party.
      
</p><a name="toc"></a><br /><hr />
<h3>Table of Contents</h3>
<p class="toc">
<a href="#anchor1">1.</a>&nbsp;
Terminology<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#anchor2">1.1.</a>&nbsp;
Definitions and Conventions<br />
<a href="#anchor3">2.</a>&nbsp;
Protocol Flow<br />
<a href="#requirements">3.</a>&nbsp;
Requirements<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#rp-requirements">3.1.</a>&nbsp;
Relying Party<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#op-requirements">3.2.</a>&nbsp;
Information Card-Enabled OpenID Provider<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#infocard-selector">3.3.</a>&nbsp;
Information Card Selector<br />
<a href="#anchor4">4.</a>&nbsp;
Information Model<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#openid-infocard">4.1.</a>&nbsp;
OpenID Information Cards<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#infocard-invocation">4.2.</a>&nbsp;
Identity Selector Invocation<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#openid-object">4.2.1.</a>&nbsp;
The Information Card OBJECT Element<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#xhtml-syntax">4.2.2.</a>&nbsp;
XHTML Information Card Syntax<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#openid-token">4.3.</a>&nbsp;
OpenID Tokens<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#openid-token-types">4.3.1.</a>&nbsp;
OpenID Token Types<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#openid-token-reference">4.3.2.</a>&nbsp;
OpenID Token References<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#openid-token-example">4.3.3.</a>&nbsp;
OpenID Token Example<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#openid-token-schema">4.3.4.</a>&nbsp;
OpenIDToken Schema<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#openid-claim">4.4.</a>&nbsp;
OpenID Identifier Claim Type<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#attribute-claims">4.5.</a>&nbsp;
Attribute Claims<br />
<a href="#examples">5.</a>&nbsp;
Protocol Flow Example Messages<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#object-example">5.1.</a>&nbsp;
Relying Party Requests Authentication With an OpenID Information Card<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#rst-example">5.2.</a>&nbsp;
Request Security Token Example<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#rstr-example">5.3.</a>&nbsp;
Request Security Token Response Example<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#xmltoken-example">5.4.</a>&nbsp;
XMLToken Example<br />
<a href="#anchor5">6.</a>&nbsp;
Security Considerations<br />
<a href="#anchor6">7.</a>&nbsp;
Acknowledgements<br />
<a href="#rfc.references1">8.</a>&nbsp;
Normative References<br />
<a href="#rfc.authors">&#167;</a>&nbsp;
Authors' Addresses<br />
</p>
<br clear="all" />

<a name="anchor1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.1"></a><h3>1.&nbsp;
Terminology</h3>

<p>
        The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
        NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
        "OPTIONAL" in this document are to be interpreted as described
        in <a class='info' href='#RFC2119'>[RFC2119]<span> (</span><span class='info'>Bradner, S., &ldquo;Key words for use in RFCs to Indicate Requirement Levels,&rdquo; March&nbsp;1997.</span><span>)</span></a>.
      
</p>
<a name="anchor2"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.1.1"></a><h3>1.1.&nbsp;
Definitions and Conventions</h3>

<p>
          </p>
<blockquote class="text"><dl>
<dt>User:</dt>
<dd>
              Also referred to as "End User". A person with a digital
              identity who participates in OpenID-based identity
              information exchanges using their client software.
            
</dd>
<dt>Information Card Identity Selector</dt>
<dd>
              Also called "Identity Selector". The client software used
              by the user to perform identity selection based on
              Information Cards. See <a class='info' href='#infocard.reference-1.0'>[infocard.reference&#8209;1.0]<span> (</span><span class='info'>Nanda, A., &ldquo;Identity Selector Interoperability Profile V1.0,&rdquo; April&nbsp;2007.</span><span>)</span></a>.
            
</dd>
<dt>OpenID Provider:</dt>
<dd>
              Also called "OP". An OpenID Authentication server on
              which a Relying Party relies for an assertion
              that the end user controls an Identifier. See
              <a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication&#8209;2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, &ldquo;OpenID Authentication 2.0 - Draft 11,&rdquo; January&nbsp;2007.</span><span>)</span></a>.
            
</dd>
<dt>Relying Party:</dt>
<dd>
              Also called "RP". A Web application that wants proof that
              the end user controls an Identifier, and requests identity
              data associated with the end user.
              See <a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication&#8209;2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, &ldquo;OpenID Authentication 2.0 - Draft 11,&rdquo; January&nbsp;2007.</span><span>)</span></a>.
            
</dd>
<dt>Security Token</dt>
<dd>
              Also called "token". A statement, typically signed,
              carrying claims about a user. A token is used in the
              payload of the messages sent to a Relying Party to
              transfer claims about a user.
              See <a class='info' href='#infocard.reference-1.0'>[infocard.reference&#8209;1.0]<span> (</span><span class='info'>Nanda, A., &ldquo;Identity Selector Interoperability Profile V1.0,&rdquo; April&nbsp;2007.</span><span>)</span></a>.
            
</dd>
<dt>Security Token Service</dt>
<dd>
              Also called "STS". A server endpoint that can issue
              tokens. See <a class='info' href='#infocard.reference-1.0'>[infocard.reference&#8209;1.0]<span> (</span><span class='info'>Nanda, A., &ldquo;Identity Selector Interoperability Profile V1.0,&rdquo; April&nbsp;2007.</span><span>)</span></a>.
            
</dd>
<dt>Request Security Token</dt>
<dd>
              Also called "RST". A message through which an Identity
              Selector requests a token from an STS endpoint.
              See <a class='info' href='#infocard.reference-1.0'>[infocard.reference&#8209;1.0]<span> (</span><span class='info'>Nanda, A., &ldquo;Identity Selector Interoperability Profile V1.0,&rdquo; April&nbsp;2007.</span><span>)</span></a>.
            
</dd>
<dt>Request Security Token Response</dt>
<dd>
              Also called "RSTR". A response message sent from an STS
              endpoint to an Identity Selector, containing a token.
              See <a class='info' href='#infocard.reference-1.0'>[infocard.reference&#8209;1.0]<span> (</span><span class='info'>Nanda, A., &ldquo;Identity Selector Interoperability Profile V1.0,&rdquo; April&nbsp;2007.</span><span>)</span></a>.
            
</dd>
</dl></blockquote><p>
        
</p>
<p>
          Throughout this document references to
          <a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication&#8209;2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, &ldquo;OpenID Authentication 2.0 - Draft 11,&rdquo; January&nbsp;2007.</span><span>)</span></a> also apply to
          <a class='info' href='#OpenID.authentication-1.1'>[OpenID.authentication&#8209;1.1]<span> (</span><span class='info'>Recordon, D. and B. Fitzpatrick, &ldquo;OpenID Authentication 1.1,&rdquo; May&nbsp;2006.</span><span>)</span></a> unless explicitly
          noted otherwise.
        
</p>
<a name="anchor3"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.2"></a><h3>2.&nbsp;
Protocol Flow</h3>

<p>
        </p>
<ol class="text">
<li>
            User acquires an OpenID Information Card from their
            Information Card-enabled OP.
          
</li>
<li>
            User browses to an OpenID RP.
          
</li>
<li>
            User invokes an element on the page to send an OpenID token
            to the Relying Party.
          
</li>
<li>
            Identity Selector detects the "application/x-informationCard"
            &lt;OBJECT&gt; element on the RP's login page, requesting an
            OpenID token.
          
</li>
<li>
            User selects an OpenID Information Card to use.
          
</li>
<li>
            Identity Selector sends a Request Security Token (RST) to the
            Security Token Service (STS) endpoint of the OP that issued the
            card.
          
</li>
<li>
            OP issues an OpenID Authentication Response, encodes that
            response in an OpenID token, and encapsulates the token
            in a Request Security Token Response (RSTR). 
          
</li>
<li>
            OP returns the RSTR to the Identity Selector.
          
</li>
<li>
            Identity Selector POSTs the response back to the RP.
          
</li>
<li>
            RP extracts the OpenID Authentication response from the OpenID
            token and returns to the normal OpenID verification flow as
            specified by <a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication&#8209;2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, &ldquo;OpenID Authentication 2.0 - Draft 11,&rdquo; January&nbsp;2007.</span><span>)</span></a>.
            In particular, the signature verification must be verified
            with a direct call to the OpenID Provider. 
          
</li>
</ol><p>
      
</p>
<a name="requirements"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.3"></a><h3>3.&nbsp;
Requirements</h3>

<p>
        This section describes what is needed on top of an OpenID
        implementation for OpenID Information Cards support.
      
</p>
<a name="rp-requirements"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.3.1"></a><h3>3.1.&nbsp;
Relying Party</h3>

<p>
          In order to support OpenID Information Cards, Relying Parties MUST:
          </p>
<blockquote class="text">
<p>
              Request an OpenID token, by invoking an
              Information Card Identity Selector as described in
              <a class='info' href='#infocard.web-interop'>[infocard.web&#8209;interop]<span> (</span><span class='info'>Jones, M., &ldquo;A Guide to Using the Identity Selector Interoperability             Profile V1.0 within Web Applications and Browsers,&rdquo; April&nbsp;2007.</span><span>)</span></a>. This can be
              accomplished either with an "application/x-informationCard"
              &lt;OBJECT&gt; element or using XHTML syntax.
              See <a class='info' href='#infocard-invocation'>Section&nbsp;4.2<span> (</span><span class='info'>Identity Selector Invocation</span><span>)</span></a>.
            
</p>
<p>
              Extract the OpenID Authentication response from the RSTR /
              OpenID token.
            
</p>
</blockquote><p>
        
</p>
<a name="op-requirements"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.3.2"></a><h3>3.2.&nbsp;
Information Card-Enabled OpenID Provider</h3>

<p>
          In order to support OpenID Information Cards, OpenID Providers
          MUST:
          </p>
<blockquote class="text">
<p>
              Issue OpenID Information Cards.
            
</p>
<p>
              Provide an STS endpoint for issuing OpenID tokens.
            
</p>
</blockquote><p>
        
</p>
<a name="infocard-selector"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.3.3"></a><h3>3.3.&nbsp;
Information Card Selector</h3>

<p>
          The tokens are opaque to Identity Selectors, so any selector
          implementation will support OpenID Information Cards.
        
</p>
<a name="anchor4"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.4"></a><h3>4.&nbsp;
Information Model</h3>

<a name="openid-infocard"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.4.1"></a><h3>4.1.&nbsp;
OpenID Information Cards</h3>

<p>
          An OpenID Information Card is an Information Card issued by an
          Information Card-enabled OP with the following properties:
          </p>
<blockquote class="text">
<p>
              MUST support OpenID tokens.
            
</p>
<p>
              MUST support the OpenID Identifier claim.
            
</p>
<p>
              MUST contain the RequireAppliesTo element, so that the
              Identity Selector passes the URL of the RP to the OP.
            
</p>
</blockquote><p>
        
</p>
<a name="infocard-invocation"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.4.2"></a><h3>4.2.&nbsp;
Identity Selector Invocation</h3>

<p>
          Relying parties have the following options for invoking an
          Identity Selector on their login pages, as specified in
          <a class='info' href='#infocard.web-interop'>[infocard.web&#8209;interop]<span> (</span><span class='info'>Jones, M., &ldquo;A Guide to Using the Identity Selector Interoperability             Profile V1.0 within Web Applications and Browsers,&rdquo; April&nbsp;2007.</span><span>)</span></a>:
          </p>
<blockquote class="text">
<p>
              An &lt;OBJECT&gt; element of the type
              "application/x-informationCard".
            
</p>
<p>
              XHTML Information Card syntax.
            
</p>
</blockquote><p>
          Optionally, Relying Parties MAY use browser scripting languages
          to dynamically detect the availability of an Identity Selector
          and choose whether to present an Information Card &lt;OBJECT&gt;
          element, Information Card XHTML syntax, or a standard OpenID
          login form.
        
</p>
<a name="openid-object"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.4.2.1"></a><h3>4.2.1.&nbsp;
The Information Card OBJECT Element</h3>

<p>
            An OpenID token can be requested using an
            &lt;OBJECT&gt; element with the following properties:
            </p>
<blockquote class="text">
<p>
                The "type" attribute MUST have the value
                "application/x-informationCard".
              
</p>
<p>
                The "tokenType" parameter MUST have the value of an
                <a class='info' href='#openid-token'>OpenID token<span> (</span><span class='info'>OpenID Tokens</span><span>)</span></a>
              
</p>
<p>
                The "requiredClaims" parameter MUST contain the
                "http://schema.openid.net/2007/05/claims/identifier" URI.
              
</p>
</blockquote><p>
          
</p>
<p>Example:
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>

&lt;OBJECT type="application/x-informationCard" name="xmlToken"&gt;
  &lt;PARAM Name="tokenType" Value="http://specs.openid.net/auth/2.0"&gt;
  &lt;PARAM Name="requiredClaims"
         Value="http://schema.openid.net/2007/05/claims/identifier"&gt;
&lt;/OBJECT&gt;

</pre></div>
<a name="xhtml-syntax"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.4.2.2"></a><h3>4.2.2.&nbsp;
XHTML Information Card Syntax</h3>

<p>
          An Information Card token can be requested using an
          &lt;ic:informationCard&gt; element with the following
          properties:
          </p>
<blockquote class="text">
<p>
              The "name" attribute MUST have the value "xmlToken".
            
</p>
<p>
              The "tokenType" attribute MUST have the value of an
              <a class='info' href='#openid-token'>OpenID token<span> (</span><span class='info'>OpenID Tokens</span><span>)</span></a>
            
</p>
<p>
              An &lt;add&gt; element with the "claimType" attribute
              having as value of the
              "http://schema.openid.net/2007/05/claims/identifier" URI
              and the "optional" attribute set to "false" MUST be present.
            
</p>
</blockquote><p>
          Note that not all browsers provide full support for XHTML.
        
</p>
<p>Example:
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>

&lt;ic:informationCard name='xmlToken'
  style='behavior:url(#default#informationCard)'
  tokenType="http://specs.openid.net/auth/2.0"&gt;
  &lt;ic:add claimType=
    "http://schema.openid.net/2007/05/claims/identifier"
    optional="false"/&gt;
&lt;/ic:informationCard&gt;

</pre></div>
<a name="openid-token"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.4.3"></a><h3>4.3.&nbsp;
OpenID Tokens</h3>

<p>
          OpenID tokens are used to encapsulate and transfer
          OpenID Authentication responses using Information Cards.
          OpenID messages MUST be encoded in the key-value form
          defined in <a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication&#8209;2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, &ldquo;OpenID Authentication 2.0 - Draft 11,&rdquo; January&nbsp;2007.</span><span>)</span></a>. 
        
</p>
<p>
          The key-value form encoded OpenID Authentication response
          MUST be enclosed in a &lt;OpenIDToken&gt; element in the
          "http://specs.openid.net/auth/2.0" namespace. The XML
          schema for the OpenIDToken element is defined in
          <a class='info' href='#openid-token-schema'>Section&nbsp;4.3.4<span> (</span><span class='info'>OpenIDToken Schema</span><span>)</span></a>.
        
</p>
<p>
          Verification of OpenID Positive Assertions (claims) MUST
          be performed as specified in the "Verifying Assertions"
          section of <a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication&#8209;2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, &ldquo;OpenID Authentication 2.0 - Draft 11,&rdquo; January&nbsp;2007.</span><span>)</span></a>
        
</p>
<p>
          In the OpenID Information Cards protocol flow the RP cannot
          perform the optional OpenID association step; therefore,
          Relying Parties MUST perform the signature verification by
          sending a direct request to the OpenID Provider, as specified
          in the "Verifying Directly with the OpenID Provider"
          section of <a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication&#8209;2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, &ldquo;OpenID Authentication 2.0 - Draft 11,&rdquo; January&nbsp;2007.</span><span>)</span></a>
        
</p>
<a name="openid-token-types"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.4.3.1"></a><h3>4.3.1.&nbsp;
OpenID Token Types</h3>

<p>
            Two URIs are defined to identify the following versions of
            the OpenID protocol; these URIs MUST be used when referring
            to OpenID token types in WS-* protocols.
          
</p><br /><hr class="insert" />
<table class="full" align="center" border="0" cellpadding="2" cellspacing="2">
<col align="left"><col align="left">
<tr><th align="left">Token URI</th><th align="left">OpenID Protocol Version</th></tr>
<tr>
<td align="left">http://specs.openid.net/auth/2.0</td>
<td align="left">
              <a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication&#8209;2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, &ldquo;OpenID Authentication 2.0 - Draft 11,&rdquo; January&nbsp;2007.</span><span>)</span></a>
            </td>
</tr>
<tr>
<td align="left">http://specs.openid.net/auth/1.1</td>
<td align="left">
              <a class='info' href='#OpenID.authentication-1.1'>[OpenID.authentication&#8209;1.1]<span> (</span><span class='info'>Recordon, D. and B. Fitzpatrick, &ldquo;OpenID Authentication 1.1,&rdquo; May&nbsp;2006.</span><span>)</span></a>
            </td>
</tr>
</table>
<table border="0" cellpadding="0" cellspacing="2" align="center"><tr><td align="center"><font face="monaco, MS Sans Serif" size="1"><b>&nbsp;OpenID tokens URIs&nbsp;</b></font><br /></td></tr></table><hr class="insert" />

<a name="openid-token-reference"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.4.3.2"></a><h3>4.3.2.&nbsp;
OpenID Token References</h3>

<p>
            Tokens transferred with Information Card transactions need to
            be referenced for the purpose of performing security
            operations, such as encryption and signature calculation. In
            order for the Identity Selectors to be token-agnostic and be
            able to transfer and reference tokens of any type, the Security
            Token Services must provide the descriptors for how the tokens
            should be referenced. This is accomplished by including
            RequestedAttachedReference and RequestedUnattachedReference
            elements in RSTR messages, as described in WS-Trust and
            <a class='info' href='#infocard.reference-1.0'>[infocard.reference&#8209;1.0]<span> (</span><span class='info'>Nanda, A., &ldquo;Identity Selector Interoperability Profile V1.0,&rdquo; April&nbsp;2007.</span><span>)</span></a>.
          
</p>
<p>
            When issuing OpenID Tokens, an Information Card-enabled OpenID
            Provider MUST include the &lt;RequestedAttachedReference&gt;
            and &lt;RequestedUnattachedReference&gt; elements in the RSTR
            message. Both references MUST contain identical values in the
            form of &lt;KeyIdentifier&gt; security token references with
            the following characteristics:
            
            </p>
<blockquote class="text">
<p>
                The ValueType attribute of the &lt;KeyIdentifier&gt;
                element MUST have the value of
                "http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1".
              
</p>
<p>
                The text value of the &lt;KeyIdentifier&gt; element MUST
                be the base64 encoded value of the SHA1 hash of the raw
                octets consituting the OpenID message encoded in
                key-value form.
              
</p>
</blockquote><p>
            Example:
          </p>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>


&lt;wsse:SecurityTokenReferene xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
  &lt;wsse:KeyIdentifier
      ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1"&gt;
      d1pgA15raYAIMAJ3CMCZ64qU02g=
  &lt;/wsse:KeyIdentifier&gt;
&lt;/wsse:SecurityTokenReference&gt;

</pre></div><p>


          
</p>
<p>
            See <a class='info' href='#rstr-example'>Section&nbsp;5.3<span> (</span><span class='info'>Request Security Token Response Example</span><span>)</span></a> for a full Request Security
            Token Response example.
          
</p>
<a name="openid-token-example"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.4.3.3"></a><h3>4.3.3.&nbsp;
OpenID Token Example</h3>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>

&lt;openid:OpenIDToken xmlns:openid="http://specs.openid.net/auth/2.0"&gt;
openid.ns:http://specs.openid.net/auth/2.0
openid.mode:id_res
openid.op_endpoint:https://example-op.com/openid-server/
openid.claimed_id:https://example-op.com/johndoe/
openid.identity:https://example-op.com/johndoe/
openid.return_to:https://example-rp.com/openid-infocard-endpoint/
openid.response_nonce:2007-06-28T22:16:58Z0
openid.assoc_handle:d38f38e8166443cb
openid.signed:op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle
openid.sig:PZNucb3/5KnEHsOXEMFkg1FJAnGD+UbGR1LqsscVvEc=
&lt;/openid:OpenIDToken&gt;

</pre></div>
<a name="openid-token-schema"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.4.3.4"></a><h3>4.3.4.&nbsp;
OpenIDToken Schema</h3>

<p>
            The XML schema definition for the &lt;OpenIDToken&gt; element
            is as follows:
          
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>
    &lt;?xml version="1.0" encoding="UTF-8"?&gt;
    &lt;!-- XML Schema for OpenIDToken --&gt;
    &lt;xs:schema
      targetNamespace="http://specs.openid.net/auth/2.0"
      xmlns:openid="http://specs.openid.net/auth/2.0"
      xmlns:xs="http://www.w3.org/2001/XMLSchema"
      elementFormDefault="qualified" blockDefault="#all"&gt;

      &lt;xs:element name="OpenIDToken" type="openid:OpenIDTokenType"/&gt;
      &lt;xs:complexType name="OpenIDTokenType"&gt;
        &lt;xs:simpleContent&gt;
          &lt;xs:extension base="xs:string"&gt;
            &lt;xs:anyAttribute namespace="##any" processContents="lax" /&gt;
          &lt;/xs:extension&gt;
        &lt;/xs:simpleContent&gt;
      &lt;/xs:complexType&gt;
    &lt;/xs:schema&gt;
</pre></div>
<a name="openid-claim"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.4.4"></a><h3>4.4.&nbsp;
OpenID Identifier Claim Type</h3>

<p>
          OpenID Information Cards are used to acquire and supply OpenID
          Authentication claims to a Relying Party. This type of claims
          is identified in Information Card transactions by the following URI:
          </p>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>

http://schema.openid.net/2007/05/claims/identifier

</pre></div><p>

        
</p>
<a name="attribute-claims"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.4.5"></a><h3>4.5.&nbsp;
Attribute Claims</h3>

<p>
          Additional attribute claims MAY be requested by the Relying
          Party by listing the corresponding URIs in the Information Card
          OBJECT element or by using XHTML Information Card Syntax, as
          specified in <a class='info' href='#infocard.web-interop'>[infocard.web&#8209;interop]<span> (</span><span class='info'>Jones, M., &ldquo;A Guide to Using the Identity Selector Interoperability             Profile V1.0 within Web Applications and Browsers,&rdquo; April&nbsp;2007.</span><span>)</span></a>. In this
          case the OpenID 2.0 namespace URI,
          "http://specs.openid.net/auth/2.0" MUST be one of the requested
          token types.
        
</p>
<p>
          If such claims are supported by a managed OpenID Information
          Card and an Information Card-Enabled OpenID Provider, the
          protocol used to encode the response claims containing the
          attribute values MUST be <a class='info' href='#OpenID.attribute-exchange'>OpenID Attribute Exchange<span> (</span><span class='info'>Hardt, D., Bufu, J., and J. Hoyt, &ldquo;OpenID Attribute Exchange,&rdquo; January&nbsp;2007.</span><span>)</span></a> [OpenID.attribute&#8209;exchange].
        
</p>
<p>
          Specifically, an OpenID Attribute Exchange Fetch Response
          extension MUST be added the OpenID Authentication response
          encapsulated in the OpenID 2.0 Information Card token.
        
</p>
<p>
          See <a class='info' href='#examples'>Section&nbsp;5<span> (</span><span class='info'>Protocol Flow Example Messages</span><span>)</span></a> for a set of example messages
          that illustrate the protocol flow.
        
</p>
<a name="examples"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5"></a><h3>5.&nbsp;
Protocol Flow Example Messages</h3>

<p>
        Non normative.
      
</p>
<a name="object-example"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.1"></a><h3>5.1.&nbsp;
Relying Party Requests Authentication With an OpenID Information Card</h3>
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>

&lt;OBJECT type="application/x-informationCard" name="xmlToken"&gt;
&lt;PARAM Name="tokenType" Value="http://specs.openid.net/auth/2.0"&gt;
&lt;PARAM Name="requiredClaims"
       Value="http://schema.openid.net/2007/05/claims/identifier"&gt;
&lt;PARAM Name="optionalClaims"
       Value="http://axschema.org/namePerson/first http://axschema.org/namePerson/last http://axschema.org/contact/email"&gt;
&lt;/OBJECT&gt;

</pre></div>
<p>
          Besides the OpenID token type and the OpenID identifier
          claim type, optional email address, first and last name
          attribute claims are also requested.
        
</p>
<a name="rst-example"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.2"></a><h3>5.2.&nbsp;
Request Security Token Example</h3>

<p>
          Request Security Token (RST) message sent by the Information Card
          selector to the Information Card-enabled OpenID Provider / STS:
        
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>

&lt;s:Envelope
    xmlns:s="http://www.w3.org/2003/05/soap-envelope"
    xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"&gt;
  &lt;s:Header&gt;
    &lt;o:Security
        s:mustUnderstand="1"
        xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
      &lt;o:UsernameToken u:Id="uuid-9f7afd9b-dfc0-4a11-9066-0ea82dbd36b2-2"&gt;
        &lt;o:Username&gt;exampleUser&lt;/o:Username&gt;
        &lt;o:Password
          o:Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"&gt;
          examplePassword
        &lt;/o:Password&gt;
      &lt;/o:UsernameToken&gt;
    &lt;/o:Security&gt;
  &lt;/s:Header&gt;
  &lt;s:Body&gt;
    &lt;wst:RequestSecurityToken Context="ProcessRequestSecurityToken"
                              xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"&gt;
      &lt;wst:RequestType&gt;http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
      &lt;/wst:RequestType&gt;
      &lt;wsid:InformationCardReference
        xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity"&gt;
        &lt;wsid:CardId&gt;
          https://example-op.com/sts/card/CBB63122-E541-7F40-961B-BB0A8079110B
        &lt;/wsid:CardId&gt;
        &lt;wsid:CardVersion&gt;1&lt;/wsid:CardVersion&gt;
      &lt;/wsid:InformationCardReference&gt;
      &lt;wst:Claims&gt;
        &lt;wsid:ClaimType
          Uri="http://schema.openid.net/2007/05/claims/identifier"
          xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity"/&gt;
        &lt;wsid:ClaimType
          Uri="http://axschema.org/namePerson/first"
          xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity"
          Optional="true"/&gt;
        &lt;wsid:ClaimType
          Uri="http://axschema.org/namePerson/last"
          xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity"
          Optional="true"/&gt;
        &lt;wsid:ClaimType
          Uri="http://axschema.org/contact/email"
          xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity"
          Optional="true"/&gt;
      &lt;/wst:Claims&gt;
      &lt;wst:KeyType&gt;http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
      &lt;/wst:KeyType&gt;
      &lt;wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"&gt;
        &lt;EndpointReference
          xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none"&gt;
          https://example-rp.com/openid-infocard-endpoint/
        &lt;/EndpointReference&gt;
      &lt;/wsp:AppliesTo&gt;
      &lt;wst:TokenType&gt;http://specs.openid.net/auth/2.0&lt;/wst:TokenType&gt;
      &lt;wsid:RequestDisplayToken xml:lang="en"
                                xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity"/&gt;
    &lt;/wst:RequestSecurityToken&gt;
  &lt;/s:Body&gt;
&lt;/s:Envelope&gt;

</pre></div>
<p>
          No proof key is used in this example. A username/password
          credential included in the RST is used as the method of
          authentication to the Information Card-enabled OpenID Provider.
        
</p>
<a name="rstr-example"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.3"></a><h3>5.3.&nbsp;
Request Security Token Response Example</h3>

<p>
          Request Security Token Response (RSTR) sent by the STS back
          to the Identity Selector:
        
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>

&lt;soap:Envelope xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"
               xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
               xmlns:wsa="http://www.w3.org/2005/08/addressing"
               xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
               xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
               xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"&gt;
  &lt;soap:Header/&gt;
  &lt;soap:Body&gt;
    &lt;wst:RequestSecurityTokenResponse Context="ProcessRequestSecurityToken"&gt;
      &lt;wst:TokenType&gt;http://specs.openid.net/auth/2.0&lt;/wst:TokenType&gt;
      &lt;wst:RequestType&gt;http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
      &lt;/wst:RequestType&gt;
      &lt;wst:RequestedSecurityToken&gt;
        &lt;openid:OpenIDToken xmlns:openid="http://specs.openid.net/auth/2.0"&gt;
openid.ns:http://specs.openid.net/auth/2.0
openid.mode:id_res
openid.op_endpoint:https://example-op.com/openid-server/
openid.claimed_id:https://example-op.com/johndoe/
openid.identity:https://example-op.com/johndoe/
openid.return_to:https://example-rp.com/openid-infocard-endpoint/
openid.response_nonce:2007-06-28T22:16:58Z0
openid.assoc_handle:d38f38e8166443cb
openid.signed:op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle
openid.sig:PZNucb3/5KnEHsOXEMFkg1FJAnGD+UbGR1LqsscVvEc=
openid.ns.ext1:http://openid.net/srv/ax/1.0
openid.ext1.mode:fetch_response
openid.ext1.type.FirstName:http://axschema.org/namePerson/first
openid.ext1.value.FirstName:John
openid.ext1.type.LastName:http://axschema.org/namePerson/last
openid.ext1.value.LastName:Doe
openid.ext1.type.email:http://axschema.org/contact/email
openid.ext1.value.email:johndoe@example.com
        &lt;/openid:OpenIDToken&gt;
      &lt;/wst:RequestedSecurityToken&gt;
      &lt;wst:RequestedAttachedReference&gt;
        &lt;wsse:SecurityTokenReference&gt;
          &lt;wsse:KeyIdentifier
                ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1"&gt;
                d1pgA15raYAIMAJ3CMCZ64qU02g=
          &lt;/wsse:KeyIdentifier&gt;
        &lt;/wsse:SecurityTokenReference&gt;
      &lt;/wst:RequestedAttachedReference&gt;
      &lt;wst:RequestedUnattachedReference&gt;
        &lt;wsse:SecurityTokenReference&gt;
          &lt;wsse:KeyIdentifier
                ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1"&gt;
                d1pgA15raYAIMAJ3CMCZ64qU02g=
          &lt;/wsse:KeyIdentifier&gt;
        &lt;/wsse:SecurityTokenReference&gt;
      &lt;/wst:RequestedUnattachedReference&gt;
      &lt;ic:RequestedDisplayToken&gt;
        &lt;ic:DisplayToken xml:lang="en"&gt;
          &lt;ic:DisplayClaim
            Uri="http://axschema.org/namePerson/first"&gt;
            &lt;ic:DisplayTag&gt;Given Name&lt;/ic:DisplayTag&gt;
            &lt;ic:DisplayValue&gt;John&lt;/ic:DisplayValue&gt;
          &lt;/ic:DisplayClaim&gt;
          &lt;ic:DisplayClaim
            Uri="http://axschema.org/namePerson/last"&gt;
            &lt;ic:DisplayTag&gt;Surname&lt;/ic:DisplayTag&gt;
            &lt;ic:DisplayValue&gt;Doe&lt;/ic:DisplayValue&gt;
          &lt;/ic:DisplayClaim&gt;
          &lt;ic:DisplayClaim
            Uri="http://axschema.org/contact/email"&gt;
            &lt;ic:DisplayTag&gt;Email&lt;/ic:DisplayTag&gt;
            &lt;ic:DisplayValue&gt;johndoe@example.com&lt;/ic:DisplayValue&gt;
          &lt;/ic:DisplayClaim&gt;
          &lt;ic:DisplayClaim
            Uri="http://schema.openid.net/2007/05/claims/identifier"&gt;
            &lt;ic:DisplayTag&gt;OpenID&lt;/ic:DisplayTag&gt;
            &lt;ic:DisplayValue&gt;https://example-op.com/johndoe/
            &lt;/ic:DisplayValue&gt;
          &lt;/ic:DisplayClaim&gt;
        &lt;/ic:DisplayToken&gt;
      &lt;/ic:RequestedDisplayToken&gt;
    &lt;/wst:RequestSecurityTokenResponse&gt;
  &lt;/soap:Body&gt;
&lt;/soap:Envelope&gt;

</pre></div>
<a name="xmltoken-example"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.4"></a><h3>5.4.&nbsp;
XMLToken Example</h3>

<p>
          Data sent by the Information Card selector to the Relying Party
          with a HTTP POST, as the value of the "xmltoken" parameter:
        
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>

&lt;openid:OpenIDToken xmlns:openid="http://specs.openid.net/auth/2.0"&gt;
openid.ns:http://specs.openid.net/auth/2.0
openid.mode:id_res
openid.op_endpoint:https://example-op.com/openid-server/
openid.claimed_id:https://example-op.com/johndoe/
openid.identity:https://example-op.com/johndoe/
openid.return_to:https://example-rp.com/openid-infocard-endpoint/
openid.response_nonce:2007-06-28T22:16:58Z0
openid.assoc_handle:d38f38e8166443cb
openid.signed:op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle
openid.sig:PZNucb3/5KnEHsOXEMFkg1FJAnGD+UbGR1LqsscVvEc=
openid.ns.ext1:http://openid.net/srv/ax/1.0
openid.ext1.mode:fetch_response
openid.ext1.type.FirstName:http://axschema.org/namePerson/first
openid.ext1.value.FirstName:John
openid.ext1.type.LastName:http://axschema.org/namePerson/last
openid.ext1.value.LastName:Doe
openid.ext1.type.email:http://axschema.org/contact/email
openid.ext1.value.email:johndoe@example.com
&lt;/openid:OpenIDToken&gt;

</pre></div>
<a name="anchor5"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.6"></a><h3>6.&nbsp;
Security Considerations</h3>

<p>
        Using of OpenID Information Cards eliminates the "Rogue Relying
        Party Proxying" attack described in the Security Consideration
        section of <a class='info' href='#OpenID.authentication-2.0'>[OpenID.authentication&#8209;2.0]<span> (</span><span class='info'>Recordon, D., Hoyt, J., Fitzpatrick, B., and D. Hardt, &ldquo;OpenID Authentication 2.0 - Draft 11,&rdquo; January&nbsp;2007.</span><span>)</span></a>.
      
</p>
<a name="anchor6"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.7"></a><h3>7.&nbsp;
Acknowledgements</h3>

<p>
        Arun Nanda and Mike Jones.
      
</p>
<a name="rfc.references1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<h3>8.&nbsp;Normative References</h3>
<table width="99%" border="0">
<tr><td class="author-text" valign="top"><a name="OpenID.attribute-exchange">[OpenID.attribute-exchange]</a></td>
<td class="author-text"><a href="mailto:dick@sxip.com">Hardt, D.</a>, <a href="mailto:johnny@sxip.com">Bufu, J.</a>, and <a href="mailto:josh@janrain.com">J. Hoyt</a>, &ldquo;OpenID Attribute Exchange,&rdquo; January&nbsp;2007 (<a href="http://openid.net/specs/openid-attribute-exchange-1_0-04.txt">TXT</a>, <a href="http://openid.net/specs/openid-attribute-exchange-1_0-04.html">HTML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="OpenID.authentication-1.1">[OpenID.authentication-1.1]</a></td>
<td class="author-text"><a href="mailto:drecordon@verisign.com">Recordon, D.</a> and <a href="mailto:brad@danga.com">B. Fitzpatrick</a>, &ldquo;OpenID Authentication 1.1,&rdquo; May&nbsp;2006 (<a href="http://www.openid.net/specs/openid-authentication-1_1.txt">TXT</a>, <a href="http://www.openid.net/specs/openid-authentication-1_1.html">HTML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="OpenID.authentication-2.0">[OpenID.authentication-2.0]</a></td>
<td class="author-text"><a href="mailto:drecordon@verisign.com">Recordon, D.</a>, <a href="mailto:josh@janrain.com">Hoyt, J.</a>, <a href="mailto:brad@danga.com">Fitzpatrick, B.</a>, and <a href="mailto:dick@sxip.com">D. Hardt</a>, &ldquo;OpenID Authentication 2.0 - Draft 11,&rdquo; January&nbsp;2007 (<a href="http://www.openid.net/specs/openid-authentication-2_0-11.txt">TXT</a>, <a href="http://www.openid.net/specs/openid-authentication-2_0-11.html">HTML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC2119">[RFC2119]</a></td>
<td class="author-text"><a href="mailto:sob@harvard.edu">Bradner, S.</a>, &ldquo;<a href="ftp://ftp.isi.edu/in-notes/rfc2119.txt">Key words for use in RFCs to Indicate Requirement Levels</a>,&rdquo; BCP&nbsp;14, RFC&nbsp;2119, March&nbsp;1997 (<a href="ftp://ftp.isi.edu/in-notes/rfc2119.txt">TXT</a>, <a href="http://xml.resource.org/public/rfc/html/rfc2119.html">HTML</a>, <a href="http://xml.resource.org/public/rfc/xml/rfc2119.xml">XML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="infocard.reference-1.0">[infocard.reference-1.0]</a></td>
<td class="author-text">Nanda, A., &ldquo;<a href="http://download.microsoft.com/download/1/1/a/11ac6505-e4c0-4e05-987c-6f1d31855cd2/Identity-Selector-Interop-Profile-v1.pdf">Identity Selector Interoperability Profile V1.0</a>,&rdquo; April&nbsp;2007.</td></tr>
<tr><td class="author-text" valign="top"><a name="infocard.web-interop">[infocard.web-interop]</a></td>
<td class="author-text">Jones, M., &ldquo;<a href="http://download.microsoft.com/download/1/1/a/11ac6505-e4c0-4e05-987c-6f1d31855cd2/Identity-Selector-Interop-Profile-v1-Web-Guide.pdf">A Guide to Using the Identity Selector Interoperability
            Profile V1.0 within Web Applications and Browsers</a>,&rdquo; April&nbsp;2007.</td></tr>
</table>

<a name="rfc.authors"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<h3>Authors' Addresses</h3>
<table width="99%" border="0" cellpadding="0" cellspacing="0">
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Dick Hardt</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Sxip Identity</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">798 Beatty Street</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Vancouver, BC  V6B 2M1</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">CA</td></tr>
<tr><td class="author" align="right">Email:&nbsp;</td>
<td class="author-text"><a href="mailto:dick@sxip.com">dick@sxip.com</a></td></tr>
<tr><td class="author" align="right">URI:&nbsp;</td>
<td class="author-text"><a href="http://sxip.com/">http://sxip.com/</a></td></tr>
<tr cellpadding="3"><td>&nbsp;</td><td>&nbsp;</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Johnny Bufu</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Sxip Identity</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">798 Beatty Street</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Vancouver, BC  V6B 2M1</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">CA</td></tr>
<tr><td class="author" align="right">Email:&nbsp;</td>
<td class="author-text"><a href="mailto:johnny@sxip.com">johnny@sxip.com</a></td></tr>
<tr><td class="author" align="right">URI:&nbsp;</td>
<td class="author-text"><a href="http://sxip.com/">http://sxip.com/</a></td></tr>
</table>
</body></html>