[PROPOSAL] Separate Public Identifier from IdP Identifier

Martin Atkins mart at degeneration.co.uk
Fri Oct 6 16:49:17 UTC 2006


Dick Hardt wrote:
> I like making all identifiers work the same way. The wording around  
> directed identity is somewhat confusing. Would be clearer if there  
> was a complete description of what happened. ie. complete the  
> transaction. In Directed Identity, the RP needs to do discovery on  
> the identifier provided to make sure the IdP is authoritative for it.
> 

Perhaps I've misunderstood how directed identity works, but I figured 
the flow would work as follows:

* The RP initiates Yadis discovery on http://anon.myidp.com/

* The IdP returns a document naming its authentication endpoint (in the 
"URI" field) and a special anonymous token as openid:Token. openid:Token 
may be the same as the public identifier from the previous step, but 
this is not required.

* The RP initiates OpenID auth to the named endpoint using the openid:Token.

* The IdP notes that the special "anonymous" token has been used, but it 
knows who the remote user is (via Cookies, for example) so it can 
generate an identifier and remember that it belongs to that user/RP combo.

* IdP responds to RP with the generated public identifier (which *is* 
publically resolvable, of course.)

* RP resolves the IdP-provided public identifier, where the IdP will 
provide for Yadis discovery and specify that it is authoritative for 
that URL.

* We're done.

The important thing is that, just as I've separated the public 
identifier from the IdP token (or handle, if you like), this separation 
also applies to the IdP-generated public identifier.

(sorry that this is a bit rough. I've not really spent the necessary 
amount of time preparing the above and I'm in a hurry, so if there are 
spots where I'm not clear I apologise and I'll clarify later! :) )




More information about the specs mailing list