TOC 
J. Hoyt
 J. Daugherty
 JanRain
 D. Recordon
 VeriSign
 June 30, 2006

OpenID Simple Registration Extension 1.0

Abstract

OpenID Simple Registation is an extension to the OpenID Authentication protocol that allows for very light-weight profile exchange. It is designed to pass eight commonly requested pieces of information when an End User goes to register a new account with a web service.



Table of Contents

1.  Requirements Notation
2.  Terminology
3.  Request Format
4.  Response Format
5.  Security Considerations
6.  Normative References
§  Authors' Addresses




 TOC 

1. Requirements Notation

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] (Bradner, B., “Key words for use in RFCs to Indicate Requirement Levels,” .).



 TOC 

2. Terminology

End User:
The actual human user who wants to prove their Identity to a Consumer.
Consumer:
A web service that wants proof that the End User owns the Claimed Identity.
Identity Provider:
Also called "IdP" or "Server". This is the OpenID Authentication server that a Consumer contacts for cryptographic proof that the End User owns the Claimed Identity.



 TOC 

3. Request Format

The request parameters detailed here SHOULD be sent with OpenID Authentication checkid_immediate or checkid_setup requests.

All of the following request fields are OPTIONAL, though at least one of "openid.sreg.required" or "openid.sreg.optional" MUST be specified in the request.

openid.sreg.required:
Comma-separated list of field names which, if absent from the response, will prevent the Consumer from completing the registration without End User interation. The field names are those that are specified in the Response Format (Response Format), with the "openid.sreg." prefix removed.
openid.sreg.optional:
Comma-separated list of field names Fields that will be used by the Consumer, but whose absence will not prevent the registration from completing. The field names are those that are specified in the Response Format (Response Format), with the "openid.sreg." prefix removed.
openid.sreg.policy_url:
A URL which the Consumer provides to give the End User a place to read about the how the profile data will be used. The Identity Provider SHOULD display this URL to the End User if it is given.



 TOC 

4. Response Format

The fields below SHOULD be included in the Identity Providers's response when "openid.mode" is "id_res".

The response's "openid.signed" field list MUST include the returned registration field names, prefixed without the openid. prefix (e.g., sreg.nickname). The "openid.sig" field MUST provide a signature for the sreg. fields in addition to the OpenID data according to the OpenID Authentication specification.

If the Consumer's signature verification fails, then no registration data from the Identity Provider SHOULD be used.

The Consumer MUST be prepared to handle a response which lacks fields marked as required or optional.

The behavior in the case of missing required fields or extra, unrequested fields is up to the Consumer. The Consumer SHOULD treat this situation the same as it would if the End User entered the data manually.

A single field MUST NOT be repeated in the response, and all included fields MUST be taken from the set of fields defined in this specification.

An Identity Provider MAY return any subset of the following fields in response to the query. In particular:

openid.sreg.nickname:
Any UTF-8 string that the End User wants to use as a nickname.
openid.sreg.email:
The email address of the End User as specified in section 3.4.1 of [RFC2822] (Resnick, P., “Internet Message Format,” .).
openid.sreg.fullname:
UTF-8 string free text representation of the End User's full name.
openid.sreg.dob:
The End User's date of birth as YYYY-MM-DD. Any values whose representation uses fewer than the specified number of digits should be zero-padded. The length of this value MUST always be 10. If the End User user does not want to reveal any particular component of this value, it MUST be set to zero.
For instance, if a End User wants to specify that his date of birth is in 1980, but not the month or day, the value returned SHALL be "1980-00-00".
openid.sreg.gender:
The End User's gender, "M" for male, "F" for female.
openid.sreg.postcode:
UTF-8 string free text that SHOULD conform to the End User's country's postal system.
openid.sreg.country:
The End User's country of residence as specified by ISO3166.
openid.sreg.language:
End User's preferred language as specified by ISO639.
openid.sreg.timezone:
ASCII string from TimeZone database
For example, "Europe/Paris" or "America/Los_Angeles".



 TOC 

5. Security Considerations

None.



 TOC 

6. Normative References

[RFC2119] Bradner, B., “Key words for use in RFCs to Indicate Requirement Levels.”
[RFC2822] Resnick, P., “Internet Message Format.”
[openid_authentication] Recordon, D. and B. Fitzpatrick, “OpenID Authentication 1.1.”


 TOC 

Authors' Addresses

  Josh Hoyt
  JanRain, Inc.
  5331 SW Macadam Avenue
  Suite #375
  Portland, OR 97239
  USA
Email:  josh@janrain.com
  
  Jonathan Daugherty
  JanRain, Inc.
  5331 SW Macadam Avenue
  Suite #375
  Portland, OR 97239
  USA
Email:  jonathan@janrain.com
  
  David Recordon
  VeriSign, Inc.
  487 E Middlefield Road
  Mountain View, CA 94109
  USA
Email:  drecordon@verisign.com