[OpenID board] upcoming Google announcement regarding OpenID

Martin Atkins mart at degeneration.co.uk
Thu Jul 9 23:38:40 UTC 2009

Will Norris wrote:
> The document you mention all but actually recommends that approach:
>> There are two locations where the host-meta document might be found:
>> (1) http://example.com/host-meta
>> (2) https://www.google.com/accounts/o8/host-meta?hd=example.com
>> Google's endpoint will return a 400 on endpoint (2) if the domain 
>> provided has not outsourced OpenID IdP funcionality to Google. So one 
>> possible strategy for an RP could be to first try endpoint (2), and if 
>> that returns a 400, try endpoint (1), and if that doesn't yield 
>> anything, give up. Other strategies (fetching both endpoints in 
>> parallel, for example), are possible.
> The idea of trying endpoint #2 first, and then failing back to #1 should 
> NEVER be proposed or encouraged.  Quite the opposite, it should be 
> strongly discouraged.  It's language like this that make this feel like 
> a vendor-specific approach that the OpenID Foundation should have 
> nothing to do with.  RPs should be instructed to ALWAYS attempt #1 
> first, otherwise the domain owner is no longer in control.

This is also a pretty good argument for why "magic" paths under a domain 
are bad, and is a good example of the issue I brought up months ago with 
relying on HTTP for discovery: a domain's website is very often hosted 
by a completely different organisation than the one that hosts 
everything else.

I even used Google Apps as an example in my original blog post about 
this back in October:

More information about the board mailing list