[PROPOSAL] Separate Public Identifier from IdP Identifier
Dick Hardt
dick at sxip.com
Mon Oct 9 21:51:38 UTC 2006
On 6-Oct-06, at 11:14 AM, Chris Drake wrote:
>
> An ***IdP*** can *initiate* the OpenID login with the RP using
> openid:Token.
>
> How the User arrived at the RP with this token is not the concern of
> the RP. (could be javascript, browser plugins, participating IdP
> helper CGIs, or even the RP itself). The point is - the guts of the
> authentication process remains unchanged and is backwards compatible,
> but all the privacy-invasive components that live at the RP are thus
> made *optional*.
>
> Simple as that. User only needs to remember and use one ID. User
> only needs to type it one time each day (or however long they elect to
> "stay logged on" for). Datamatching and privacy invasion are
> eradicated. No need to key custom IdP anonymity URLs ever. Even
> facilitates double-blind anonymous logins (with inclusion of a simple
> RP nonce extension). Win-win-win.
This is a great idea Chris!
Since the protocol from the RP point of view is it receives a POST
for the browser, how that gets started does not matter to the RP.
Now all we need is a way for the IdP to know which URL to send the post.
A couple options:
1) the RP includes the "login URL" in request messages to the IdP.
The IdP saves it for allowing the user to bookmark.
2) the RP has the "login URL" somewhere easily discoverable by the IdP
I would propose that both methods are supported.
-- Dick
More information about the specs
mailing list