[Openid-specs-ab] Some comments on OpenID 2.0 to OpenID Connect Migration spec

Mike Jones Michael.Jones at microsoft.com
Mon Aug 25 14:44:05 UTC 2014

I prefer the alternative that Markus is suggesting, in which we always use the OpenID 2.0 canonical identifier as the openid2_id claim value.  In fact, I would consider adding his example, in which this claim value is shown:
"openid2_id": "=!91F2.8153.F600.AE24"

We should then describe how to prefix this value to perform discovery, rather than removing the prefix.

                                                            -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Nat Sakimura
Sent: Monday, August 25, 2014 7:26 AM
To: Markus Sabadello
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Some comments on OpenID 2.0 to OpenID Connect Migration spec

Thanks Markus,

I created tickets based on these comments.

This particular one is: https://bitbucket.org/openid/connect/issue/950/migration-te-4-xri-portion-needs-change-by

For the relying party, I think it would be relatively straight forward to strip xri:// from openid2_id if they stored XRI as pure CanonicalID and causes less confusion than trying to figure out the type of openid2_id by sniffing if it starts from "=" or "!" or "@" etc.

This comment thus seem to imply that we should add some text in section 7, e.g., adding:

If the OpenID 2.0 Identifier starts with xri://xri.net/<http://xri.net/> then the relying party MUST extract the Canonical XRI by stripping "xri://xri.net/<http://xri.net/>" from the beginning of the OpenID 2.0 Identifier.

What do you think?


2014-08-23 21:36 GMT+09:00 Markus Sabadello <markus.sabadello at gmail.com<mailto:markus.sabadello at gmail.com>>:

In section 4:

"For XRI, OpenID 2.0 Identifier MUST be created as https://xri.net/ concatenated with the user’s verified XRI without the xri:// scheme. "

The problem with this I think is that in OpenID 2.0, for an XRI the Claimed Identifier is the pure CanonicalID (I-Number), without https:// or xri:// scheme. For example, an RP might have =!91F2.8153.F600.AE24 as the Claimed Identifier (openid2_id) for a user in its database.
So I think in section 4, we should either not say anything specific at all about XRI, or say something like this:

"For XRI, OpenID 2.0 Identifier MUST be the content of the <CanonicalID> element, as specified in [OpenID.2.0]"
Then an example ID Token would be:


 "iss": "?? not sure",

 "sub": "?? not sure",

 "aud": "s6BhdRkqt3",

 "nonce": "n-0S6_WzA2Mj",

 "exp": 1311281970,

 "iat": 1311280970,

 "openid2_id": "=!91F2.8153.F600.AE24"

But then I can see that obtaining an "iss" as described in sections 2 and 6 won't work.

Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140825/fc65a7d3/attachment.html>

More information about the Openid-specs-ab mailing list