Differentiating between User Identifier and OP Identifier

Eran Hammer-Lahav eran at hammer-lahav.net
Sat Jul 28 03:33:18 UTC 2007


Hello,

 

I am new to this group and OpenID in general so apologies if I repeat
questions already asked here before. I did try to read a few months of
backlog to catchup.

 

I've spent the past 10 days implementing OpenID support for session
authentication. I am currently working on an OpenId 2.0 RP implementation in
C++ for a web service I am developing. The idea is to use OpenId to
authenticate users' access to the API which is a framework enabling
developers to build their own micro-blogging sites. Due to the nature of the
platform, I am forced to implement the RP logic from scratch. The C++
libraries found are all 1.1, and I am not sure what is the state of the 2.0
libraries.

 

I have been studying the spec and came up with a long list of issues and
open questions mostly through implementation. I will post each
question/issue separately to make it easier to track the threads and better
archive the conversation. If this is annoying please let me know.

 

This question is based on draft 11 of OpenID Authentication 2.0.

 

Section 2 describe the User-Supplied Identifier, and section 3 bullet 2
provided the workflow, allowing users to provide a User Identity or an OP
Endpoint ID. Section 7.3.1 provides a little more information but not much.
The document is not very clear about the difference and how to decide what
ID the user supplied. It is critical as the end of section 7.3.1 requires
special value of the id fields to be used with an OP Endpoint.

 

If the ID discovery leads to an XRDS document, I am guessing that if that
document contains an OP Identifier element, it might mean that this is a
server Id, but what if it also contains a claimed Id element? Is that not
allowed? And in that case, is the Canonical Id ignored? But this theory only
works for XRDS discovery. What about HTML discovery? Also, is there a
difference in the handling of an XRDS discovery depending on how it was
attained (XRI or Yadis)?

 

Also, should I be using / referencing a newer version of the 2.0 draft?

 

Thanks,

 

Eran Hammer-Lahav (=eran)

Hueniverse, LLC

http://hueniverse.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20070727/055b7761/attachment-0002.htm>


More information about the specs mailing list