openidsreg

OpenID Simple Registration (sreg) vs. Attribute Exchange (ax)


What is the relationship between the OpenID sreg and ax extensions? How does a relying party know which one to request, or both?


Solution

  • sreg was written as the Simplest Thing that could Possibly Work, and has a very limited set of fields available. But since that includes nickname, email, and fullname, that's often all you need.

    Attribute Exchange is much more extensible and featureful, although I suspect in practice features like the update_url and store request have not been widely implemented.

    As for knowing which to request: In theory, which extensions a provider supports is documented in the XRDS document available during the discovery phase, as noted in the Extensions section of the spec. If you're using python-openid (or perhaps one of the other libraries at OpenID Enabled), you could query for that via something like

    auth_req = consumer.begin('http://example.com/joe')
    
    from openid.extensions import sreg
    
    if sreg.supportsSreg(auth_req.endpoint):
        sreg_request = sreg.SRegRequest(required=['nickname','email'])
        auth_req.addExtension(sreg_request)
    else:
        # maybe AX, maybe something else...
    

    Unfortunately, OpenID identifier delegation makes that pretty unreliable. The user may be using the HTML-based discovery method, which doesn't advertise extensions at all, may have an XRDS that doesn't include the same extension information as the provider does, or an XRDS that was once accurate but is now out of date.

    In addition, even if you do get an XRDS that advertises the AX extension, as far as I know it doesn't tell you which attributes the provider supports (i.e. which AX schema).

    The most practical approach is probably to request lots of stuff, and if you get some stuff back, you can use it.