[PROPOSAL] Separate Public Identifier from IdP Identifier
Martin Atkins
mart at degeneration.co.uk
Fri Oct 6 16:49:17 UTC 2006
Dick Hardt wrote:
> I like making all identifiers work the same way. The wording around
> directed identity is somewhat confusing. Would be clearer if there
> was a complete description of what happened. ie. complete the
> transaction. In Directed Identity, the RP needs to do discovery on
> the identifier provided to make sure the IdP is authoritative for it.
>
Perhaps I've misunderstood how directed identity works, but I figured
the flow would work as follows:
* The RP initiates Yadis discovery on http://anon.myidp.com/
* The IdP returns a document naming its authentication endpoint (in the
"URI" field) and a special anonymous token as openid:Token. openid:Token
may be the same as the public identifier from the previous step, but
this is not required.
* The RP initiates OpenID auth to the named endpoint using the openid:Token.
* The IdP notes that the special "anonymous" token has been used, but it
knows who the remote user is (via Cookies, for example) so it can
generate an identifier and remember that it belongs to that user/RP combo.
* IdP responds to RP with the generated public identifier (which *is*
publically resolvable, of course.)
* RP resolves the IdP-provided public identifier, where the IdP will
provide for Yadis discovery and specify that it is authoritative for
that URL.
* We're done.
The important thing is that, just as I've separated the public
identifier from the IdP token (or handle, if you like), this separation
also applies to the IdP-generated public identifier.
(sorry that this is a bit rough. I've not really spent the necessary
amount of time preparing the above and I'm in a hurry, so if there are
spots where I'm not clear I apologise and I'll clarify later! :) )
More information about the specs
mailing list