J. Hoyt J. Daugherty JanRain D. Recordon VeriSign June 30, 2006 OpenID Simple Registration Extension 1.0 Abstract OpenID Simple Registation is an extension to the OpenID Authentication protocol that allows for very light-weight profile exchange. It is designed to pass eight commonly requested pieces of information when an End User goes to register a new account with a web service. Hoyt, et al. [Page 1] OpenID Simple Registration Extension 1.0 June 2006 Table of Contents 1. Requirements Notation . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Request Format . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Response Format . . . . . . . . . . . . . . . . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 8 6. Normative References . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 Hoyt, et al. [Page 2] OpenID Simple Registration Extension 1.0 June 2006 1. Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Hoyt, et al. [Page 3] OpenID Simple Registration Extension 1.0 June 2006 2. Terminology End User: The actual human user who wants to prove their Identity to a Consumer. Consumer: A web service that wants proof that the End User owns the Claimed Identity. Identity Provider: Also called "IdP" or "Server". This is the OpenID Authentication server that a Consumer contacts for cryptographic proof that the End User owns the Claimed Identity. Hoyt, et al. [Page 4] OpenID Simple Registration Extension 1.0 June 2006 3. Request Format The request parameters detailed here SHOULD be sent with OpenID Authentication checkid_immediate or checkid_setup requests. All of the following request fields are OPTIONAL, though at least one of "openid.sreg.required" or "openid.sreg.optional" MUST be specified in the request. openid.sreg.required: Comma-separated list of field names which, if absent from the response, will prevent the Consumer from completing the registration without End User interation. The field names are those that are specified in the Response Format (Section 4), with the "openid.sreg." prefix removed. openid.sreg.optional: Comma-separated list of field names Fields that will be used by the Consumer, but whose absence will not prevent the registration from completing. The field names are those that are specified in the Response Format (Section 4), with the "openid.sreg." prefix removed. openid.sreg.policy_url: A URL which the Consumer provides to give the End User a place to read about the how the profile data will be used. The Identity Provider SHOULD display this URL to the End User if it is given. Hoyt, et al. [Page 5] OpenID Simple Registration Extension 1.0 June 2006 4. Response Format The fields below SHOULD be included in the Identity Providers's response when "openid.mode" is "id_res". The response's "openid.signed" field list MUST include the returned registration field names, prefixed without the openid. prefix (e.g., sreg.nickname). The "openid.sig" field MUST provide a signature for the sreg. fields in addition to the OpenID data according to the OpenID Authentication specification. If the Consumer's signature verification fails, then no registration data from the Identity Provider SHOULD be used. The Consumer MUST be prepared to handle a response which lacks fields marked as required or optional. The behavior in the case of missing required fields or extra, unrequested fields is up to the Consumer. The Consumer SHOULD treat this situation the same as it would if the End User entered the data manually. A single field MUST NOT be repeated in the response, and all included fields MUST be taken from the set of fields defined in this specification. An Identity Provider MAY return any subset of the following fields in response to the query. In particular: openid.sreg.nickname: Any UTF-8 string that the End User wants to use as a nickname. openid.sreg.email: The email address of the End User as specified in section 3.4.1 of [RFC2822]. openid.sreg.fullname: UTF-8 string free text representation of the End User's full name. openid.sreg.dob: The End User's date of birth as YYYY-MM-DD. Any values whose representation uses fewer than the specified number of digits should be zero-padded. The length of this value MUST always be 10. If the End User user does not want to reveal any particular component of this value, it MUST be set to zero. For instance, if a End User wants to specify that his date of birth is in 1980, but not the month or day, the value returned SHALL be "1980-00-00". Hoyt, et al. [Page 6] OpenID Simple Registration Extension 1.0 June 2006 openid.sreg.gender: The End User's gender, "M" for male, "F" for female. openid.sreg.postcode: UTF-8 string free text that SHOULD conform to the End User's country's postal system. openid.sreg.country: The End User's country of residence as specified by ISO3166 [1]. openid.sreg.language: End User's preferred language as specified by ISO639 [2]. openid.sreg.timezone: ASCII string from TimeZone database [3] For example, "Europe/Paris" or "America/Los_Angeles". Hoyt, et al. [Page 7] OpenID Simple Registration Extension 1.0 June 2006 5. Security Considerations None. 6. Normative References [RFC2119] Bradner, B., "Key words for use in RFCs to Indicate Requirement Levels". [RFC2822] Resnick, P., "Internet Message Format". [openid_authentication] Recordon, D. and B. Fitzpatrick, "OpenID Authentication 1.1". [1] [2] [3] Hoyt, et al. [Page 8] OpenID Simple Registration Extension 1.0 June 2006 Authors' Addresses Josh Hoyt JanRain, Inc. 5331 SW Macadam Avenue Suite #375 Portland, OR 97239 USA Email: josh@janrain.com Jonathan Daugherty JanRain, Inc. 5331 SW Macadam Avenue Suite #375 Portland, OR 97239 USA Email: jonathan@janrain.com David Recordon VeriSign, Inc. 487 E Middlefield Road Mountain View, CA 94109 USA Email: drecordon@verisign.com Hoyt, et al. [Page 9]