[Openid-specs-ab] display_identifier handling in OpenID 2.0 to OpenID Connect Migration

nov matake nov at matake.jp
Fri Aug 29 00:21:03 UTC 2014


If it’s the OIDF decision, I’m OK.

This bug will affect only Yahoo! and it’s RPs.
I don’t know any other major IdPs who uses different values for openid.claimed_id and openid.identity.
And RPs can simply remove fragment component from claimed_id when migrating in Yahoo!’s case.

For buggy RPs who use XRI, unfortunately…


ps.
As reality, the most major rails authentication library (and it’s PHP fork too) uses display_identifier in its OpenID 2.0 module.
https://github.com/intridea/omniauth-openid/blob/master/lib/omniauth/strategies/open_id.rb#L69
https://github.com/opauth/openid/blob/master/OpenIDStrategy.php#L111

I’ve tried to solve the Rails situation long time ago, but my pull-request to the oldest major rails openid plugin was rejected.
So I’ve gave up to fix the bug in Rails RPs.
https://github.com/rails/open_id_authentication/pull/4


2014/08/29 0:18、Mike Jones <Michael.Jones at microsoft.com> のメール:

> I don’t think we should accommodate bugs.  That way lies madness.
>  
> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Nat Sakimura
> Sent: Thursday, August 28, 2014 6:27 AM
> To: Markus Sabadello
> Cc: openid-specs-ab at lists.openid.net
> Subject: Re: [Openid-specs-ab] display_identifier handling in OpenID 2.0 to OpenID Connect Migration
>  
> I meant that. Perhaps we can add a clarifying phrase. 
> 
> Nov's question however is about something different, I think. Buggy but popular OpenID 2.0 libraries are using OpenID.identity as the identifier that links asserted identity with the local account. These implementation will break with the current spec. The question is whether we should rescue them or not. 
> 
> =nat via iPhone
> 
> Aug 28, 2014 22:08、Markus Sabadello <markus.sabadello at gmail.com> のメッセージ:
> 
> This has confused me as well when I read the spec.
> My sense is this spec should ignore openid.identity and just return openid.claimed_id = openid2_id.
> 
> Markus
> 
>  
> 
> On Thu, Aug 28, 2014 at 4:53 AM, nov matake <nov at matake.jp> wrote:
> OpenID 2.0 has 2 identifier, openid.claimed_id & openid.identity.
> For historically reasons, some libraries/RPs are using openid.identity as user identifier, unfortunately.
> 
> Does this migration spec have plan to returning openid.identity? or just ignore such buggy libraries/RPs?
> 
> The biggest issue would be Y! inc & Y! Japan’s case.
> They have fragment component only in openid.claimed_id.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>  
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140829/c4923645/attachment.html>


More information about the Openid-specs-ab mailing list