IdP assisting user to present previous identifier
Dick Hardt
dick at sxip.com
Thu Oct 19 16:30:07 UTC 2006
On 19-Oct-06, at 8:40 AM, Drummond Reed wrote:
> I agree the scenarios Dick proposes here make sense. However if the
> IdP can
> change an identifier parameter, it should be openid.portable,
> since: a)
> that's the one the RP is going to store, and b) that's the one the
> IdP MUST
> return with a different value anyway in the directed identity use
> case (case
> 1 at http://www.lifewiki.net/openid/ConsolidatedDelegationProposal).
>
> We need to carefully consider the security implications, but I
> believe they
> are covered by a simple rule: if the IdP returns a DIFFERENT
> openid.portable
> parameter value than the one sent by the RP, then the RP MUST
> verify that
> the IdP is authoritative for the new openid.portable identifier by
> doing
> discovery. If the RP finds that a different IdP is authoritiative,
Which is what happens in directed identity.
> it MUST
> reinitiate login with that IdP.
>
> (Which essentially amounts to an "OpenID login redirect".)
Not sure that should be automatic. I think the user should be given
the choice about what to do then.
More information about the specs
mailing list