[Openid-specs-ab] Some comments on OpenID 2.0 to OpenID Connect Migration spec

Nat Sakimura sakimura at gmail.com
Mon Aug 25 15:31:16 UTC 2014


That would actually complicate 90% of the cases where openid2_id is a
http(s) URI.
And I probably was a bit sleepy when I wrote the last response.
It is not xri://xri.net/ obviously.
I meant https://xri.net/ etc. so that the discovery process would be
uniform to the RPs.


2014-08-25 23:44 GMT+09:00 Mike Jones <Michael.Jones at microsoft.com>:

>  I prefer the alternative that Markus is suggesting, in which we always
> use the OpenID 2.0 canonical identifier as the openid2_id claim value.  In
> fact, I would consider adding his example, in which this claim value is
> shown:
>
> "openid2_id": "*=!91F2.8153.F600.AE24*"
>
>
>
> We should then describe how to prefix this value to perform discovery,
> rather than removing the prefix.
>
>
>
>                                                             -- Mike
>
>
>
> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:
> openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Nat Sakimura
> *Sent:* Monday, August 25, 2014 7:26 AM
> *To:* Markus Sabadello
> *Cc:* openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] Some comments on OpenID 2.0 to OpenID
> Connect Migration spec
>
>
>
> Thanks Markus,
>
>
>
> I created tickets based on these comments.
>
>
>
> This particular one is:
> https://bitbucket.org/openid/connect/issue/950/migration-te-4-xri-portion-needs-change-by
>
>
>
> For the relying party, I think it would be relatively straight forward to
> strip xri:// from openid2_id if they stored XRI as pure CanonicalID and
> causes less confusion than trying to figure out the type of openid2_id by
> sniffing if it starts from "=" or "!" or "@" etc.
>
>
>
> This comment thus seem to imply that we should add some text in section 7,
> e.g., adding:
>
>
>
> If the OpenID 2.0 Identifier starts with xri://xri.net/ then the relying
> party MUST extract the Canonical XRI by stripping "xri://xri.net/" from
> the beginning of the OpenID 2.0 Identifier.
>
>
>
> What do you think?
>
>
>
> Nat
>
>
>
> 2014-08-23 21:36 GMT+09:00 Markus Sabadello <markus.sabadello at gmail.com>:
>
> In section 4:
>
> "For XRI, OpenID 2.0 Identifier MUST be created as https://xri.net/
> concatenated with the user’s verified XRI without the xri:// scheme. "
>
> The problem with this I think is that in OpenID 2.0, for an XRI the
> Claimed Identifier is the pure CanonicalID (I-Number), without https://
> or xri:// scheme. For example, an RP might have *=!91F2.8153.F600.AE24*
> as the Claimed Identifier (openid2_id) for a user in its database.
>
> So I think in section 4, we should either not say anything specific at all
> about XRI, or say something like this:
>
> "For XRI, OpenID 2.0 Identifier MUST be the content of the <CanonicalID>
> element, as specified in [OpenID.2.0]"
>
> Then an example ID Token would be:
>
> {
>
>  "iss": "?? not sure",
>
>  "sub": "?? not sure",
>
>  "aud": "s6BhdRkqt3",
>
>  "nonce": "n-0S6_WzA2Mj",
>
>  "exp": 1311281970,
>
>  "iat": 1311280970,
>
>  "openid2_id": "*=!91F2.8153.F600.AE24*"
>
> }
>
> But then I can see that obtaining an "iss" as described in sections 2 and
> 6 won't work.
>
>
>
>
>
>
> --
> Nat Sakimura (=nat)
>
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140826/f9c1ad14/attachment-0001.html>


More information about the Openid-specs-ab mailing list