[OpenID] OpenID 2.1 clarification on use of LocalID

Andrew Arnott andrewarnott at gmail.com
Thu Apr 9 19:08:57 UTC 2009


On Thu, Apr 9, 2009 at 11:51 AM, John Bradley <john.bradley at wingaa.com>wrote:

> The only identifier that the RP should discover is the claimed_id.  If in
> the returned assertion by the OP the claimed_id and the openid.identity are
> not equal (less hash)  the openid.identiy must be the <LocalID> in the
> discovered information.
>

John, even if the claimed_id and the openid.identity are equal, the
openid.identity must still "match" the discovered information, even if that
information is implied by the absence of a LocalID tag.  For instance, if
LocalID is present with a value of "andrew", but the OP sends an assertion
with an openid.identity that is equal to my claimed_id (which would
necessarily not just be "andrew"), that is still a mismatch and the RP
should not honor that assertion, even though openid.identity and
openid.claimed_id are equal to each other.  At least that's my reading.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090409/b9b18f51/attachment.htm>


More information about the general mailing list