PROPOSAL: RP identifier

Martin Atkins mart at degeneration.co.uk
Sun Oct 22 17:44:17 UTC 2006


Dick Hardt wrote:
> 
> The issue here is that realm is an overloaded parameter. It is being  
> presented to the user for the user to decide if it wants to IdP to  
> provide similar results to any RP return_to that matches the  
> wildcard. It is also being used by the IdP to uniquely identify the RP.
> 

Those two seem to be the same thing to me.

The user says to the IdP "Sure, tell this RP that I'm me and don't ask 
me next time." IdP remembers that preference based on the realm. That 
preference is keyed on the realm, and thus the realm *is* the unique 
identifier, in a funny sort of way.

You seem to be conflating "relying party" with "relying party's 
return_to URL". LiveJournal is a relying party with a realm of 
http://*.livejournal.com/; it may well have multiple return_to 
endpoints, but they all belong the same relying party. Any settings the 
IdP keeps for that [user, relying party] pair should apply to all 
endpoints inside that realm. [1]


[1] Unless of course an RP with a more specific realm exists inside 
LiveJournal's. It's debatable whether settings applied to LiveJournal 
should be inherited by RPs with sub-set realms. Shall we debate this? :)




More information about the specs mailing list