[OpenID] OpenID 2.1 clarification on use of LocalID
andrewarnott at gmail.com
Thu Apr 9 19:08:57 UTC 2009
On Thu, Apr 9, 2009 at 11:51 AM, John Bradley <john.bradley at wingaa.com>wrote:
> The only identifier that the RP should discover is the claimed_id. If in
> the returned assertion by the OP the claimed_id and the openid.identity are
> not equal (less hash) the openid.identiy must be the <LocalID> in the
> discovered information.
John, even if the claimed_id and the openid.identity are equal, the
openid.identity must still "match" the discovered information, even if that
information is implied by the absence of a LocalID tag. For instance, if
LocalID is present with a value of "andrew", but the OP sends an assertion
with an openid.identity that is equal to my claimed_id (which would
necessarily not just be "andrew"), that is still a mismatch and the RP
should not honor that assertion, even though openid.identity and
openid.claimed_id are equal to each other. At least that's my reading.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the general