IdP assisting user to present previous identifier

Dick Hardt dick at sxip.com
Thu Oct 19 16:30:07 UTC 2006


On 19-Oct-06, at 8:40 AM, Drummond Reed wrote:

> I agree the scenarios Dick proposes here make sense. However if the  
> IdP can
> change an identifier parameter, it should be openid.portable,  
> since: a)
> that's the one the RP is going to store, and b) that's the one the  
> IdP MUST
> return with a different value anyway in the directed identity use  
> case (case
> 1 at http://www.lifewiki.net/openid/ConsolidatedDelegationProposal).
>
> We need to carefully consider the security implications, but I  
> believe they
> are covered by a simple rule: if the IdP returns a DIFFERENT  
> openid.portable
> parameter value than the one sent by the RP, then the RP MUST  
> verify that
> the IdP is authoritative for the new openid.portable identifier by  
> doing
> discovery. If the RP finds that a different IdP is authoritiative,

Which is what happens in directed identity.

> it MUST
> reinitiate login with that IdP.
>
> (Which essentially amounts to an "OpenID login redirect".)

Not sure that should be automatic. I think the user should be given  
the choice about what to do then.




More information about the specs mailing list