openid.delegate explained.

Josh Hoyt josh at janrain.com
Tue Oct 3 21:18:33 UTC 2006


On 10/3/06, Marius Scurtescu <marius at sxip.com> wrote:
> 3. Bare responses will not work.

Ditto for IdP-driven identifier selection for a delegated identifier.

> A question about doing discovery on delegated identifiers. Would you
> expect the exactly same XRDS from both the claimed and delegated
> identifiers?

This kind of question is why I think that the mechanism is due for a
change. Delegated identifiers DO NOT get discovery run on them at all.
There is no technical reason that the "delegate" field needs to be a
valid identifier at all. An IdP could give the user an opaque string
or just a username or whatever.

An example to illustrate how delegation can make it hard to understand
what's going on:

1. Set up an IdP that will let me verify, say "bradfitz.com." This
does not mean that I have any control of bradfitz.com, just that if I
did, I could use this IdP.

2. Set up an identifier, say "j3h.us" to use "bradfitz.com" as a
delegate, and to use my weirdo IdP.

3. Do authentication of "j3h.us" to a RP, and the messages that go
back and forth will be about "bradfitz.com" and the authentication
will succeed. The confusing part is that this is the correct
behaviour.

Josh



More information about the specs mailing list