[OpenID] Relying Party Best Practices
mart at degeneration.co.uk
Fri Mar 9 18:35:34 UTC 2007
> Is it possible for an provider to essentially reject any previous
> external site’s assertions about a URI under its control?
> If the consumer stored the reference with another opaque identifier,
> for instance the numeric user ID or another unique string you could
> have reusable URIs. The pair of [URI, ID] would identify the
> particular URI + "owner" for assertions.
> If dcorbin.foo.com was recycled and given to another user, the pair
> would change from [dcorbin.foo.com, 1] to [dcorbin.foo.com, 2] which
> would trigger reauthentication (assertion).
> Would this suffice?
This is possible. This is, in fact, basically how i-names work: the
i-name references an i-number, and the i-numbers are guaranteed never to
The difference is that in this case the "other opaque identifier" is
identifier-local rather than global. Most sites would use some
transformation of their numeric primary key for this, I guess.
I like this idea, but it does raise the question of how to disambiguate
the different "versions" of a particular identifier across sites. Sites
are unlikely to want to put "Posted By Martin Atkins
[mart.degeneration.co.uk,1]" in their UIs. This concern exists for
i-names as well... as soon as your data outlives your displayed
identifier, you've got problems.
More information about the general