[Openid-specs-ab] Some comments on OpenID 2.0 to OpenID Connect Migration spec

Nat Sakimura sakimura at gmail.com
Mon Aug 25 14:26:15 UTC 2014

Thanks Markus,

I created tickets based on these comments.

This particular one is:

For the relying party, I think it would be relatively straight forward to
strip xri:// from openid2_id if they stored XRI as pure CanonicalID and
causes less confusion than trying to figure out the type of openid2_id by
sniffing if it starts from "=" or "!" or "@" etc.

This comment thus seem to imply that we should add some text in section 7,
e.g., adding:

If the OpenID 2.0 Identifier starts with xri://xri.net/ then the relying
party MUST extract the Canonical XRI by stripping "xri://xri.net/" from the
beginning of the OpenID 2.0 Identifier.

What do you think?


2014-08-23 21:36 GMT+09:00 Markus Sabadello <markus.sabadello at gmail.com>:

> In section 4:
> "For XRI, OpenID 2.0 Identifier MUST be created as https://xri.net/
> concatenated with the user’s verified XRI without the xri:// scheme. "
> The problem with this I think is that in OpenID 2.0, for an XRI the
> Claimed Identifier is the pure CanonicalID (I-Number), without https://
> or xri:// scheme. For example, an RP might have *=!91F2.8153.F600.AE24*
> as the Claimed Identifier (openid2_id) for a user in its database.
> So I think in section 4, we should either not say anything specific at all
> about XRI, or say something like this:
> "For XRI, OpenID 2.0 Identifier MUST be the content of the <CanonicalID>
> element, as specified in [OpenID.2.0]"
> Then an example ID Token would be:
> {
>  "iss": "?? not sure",
>  "sub": "?? not sure",
>  "aud": "s6BhdRkqt3",
>  "nonce": "n-0S6_WzA2Mj",
>  "exp": 1311281970,
>  "iat": 1311280970,
>  "openid2_id": "*=!91F2.8153.F600.AE24*"
> }
> But then I can see that obtaining an "iss" as described in sections 2 and
> 6 won't work.

Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140825/a5f54a6f/attachment-0001.html>

More information about the Openid-specs-ab mailing list