Consolidated Delegate Proposal
Dick Hardt
dick at sxip.com
Tue Oct 10 18:50:22 UTC 2006
On 10-Oct-06, at 11:44 AM, Josh Hoyt wrote:
> On 10/10/06, Dick Hardt <dick at sxip.com> wrote:
>> I don't think the delegate needs to be moved. Please see
>> http://openid.net/pipermail/specs/2006-October/000310.html
>
> If I understand it correctly, this is identical to my original
> proposal[1]. I added rp_user_id because it prevents the IdP from
> having to do discovery when the RP has already done it. It is also a
> smaller change in the way that things work.
The IdP cannot trust the RP's discovery. The IdP will have to make
sure that the IdP is authoritative for the identifier regardless.
>
> I am happy with either my original proposal (your proposal) or having
> both fields in the request/response.
My proposal was pretty much your proposal with a couple tweaks
(sorry, I should have listed these to make it clearer)
- the IdP can return a different identity then the one the RP sent over
- since the delegate is only used by the IdP, the spec can be
simplified (in fact, this can be out of band of the spec since it is
a protocol between the user and the IdP, the RP is not involved)
More information about the specs
mailing list