10.4 Direct Assertion Request
If valid openid.artifact was returned, the RP SHOULD request the OP in direct communication with the following parameters:
- openid.ns
As specified in Section 4.1.2.
- openid.mode
Value:
"assertion_req_direct"“direct_assertion_req”
- openid.artifact
Value: The Artifact value received in the Artifact Authentication Response.
- openid.signed
Value: Comma-separated list of fields in this request.
- openid.sig
Value: Base 64 encoded signature calculated as specified in Section 6.
openid.assoc_handle
Value: A handle for an association between the Relying Party and the OP that SHOULD be used to sign the response.
On receipt of such request, the OP should return the assertion created previously as the payload of the response to this request. {TODO: text refinement. Think over the security risk of Artifact exposure on the indirect communication.}
10.5 Direct Assertion Response
Assertion directly requested by RP should be return in the same parameters as “10.1. Possitive Assertions” except for “openid.mode”. “openid.mode” MUST be “direct_assertion_res” in this case.
10.5.1. Unsuccessfull Direct Assertion Response.
If a direct assertion request fails, error response MUST be returned. Parameters of unsuccessfull direct assertion response are same as “
9.1.2 Unsuccessful Direct Authentication Request Response” except for “openid.mode”. openid.mode” MUST be “direct_assertion_error” in this case.