Differentiating between User Identifier and OP Identifier

Johnny Bufu johnny at sxip.com
Sat Jul 28 05:38:01 UTC 2007 

Hi Eran,

On 27-Jul-07, at 8:33 PM, Eran Hammer-Lahav wrote:
> Section 2 describe the User-Supplied Identifier, and section 3  
> bullet 2
> provided the workflow, allowing users to provide a User Identity or  
> an OP
> Endpoint ID. Section 7.3.1 provides a little more information but  
> not much.
> The document is not very clear about the difference and how to  
> decide what
> ID the user supplied. It is critical as the end of section 7.3.1  
> requires
> special value of the id fields to be used with an OP Endpoint.

The service type determines this for XRDS based discovery.

For HTML discovery:

"7.3.3.  HTML-Based Discovery
[...] HTML-Based discovery is only usable for discovery of Claimed  
Identifiers. OP Identifiers must be XRIs or URLs that support XRDS  
discovery."


> If the ID discovery leads to an XRDS document, I am guessing that  
> if that
> document contains an OP Identifier element, it might mean that this  
> is a
> server Id, but what if it also contains a claimed Id element? Is  
> that not
> allowed?

"7.3.2.2.  Extracting Authentication Data

Once the Relying Party has obtained an XRDS document, it MUST first  
search the document (following the rules described in  
[XRI_Resolution_2.0]) for an OP Identifier Element. If none is found,  
the RP will search for a Claimed Identifier Element."

> And in that case, is the Canonical Id ignored?

If an OP Identifier element was found, there is no claimed identifier  
and yes - the canonical id is ignored. The claimed_id field is set to  
the special value "http://specs.openid.net/auth/2.0/identifier_select"

> But this theory only works for XRDS discovery.

Correct.

> What about HTML discovery?

See above.

> Also, is there a difference in the handling of an XRDS discovery  
> depending on how it was
> attained (XRI or Yadis)?

Yes, in the way the claimed identifier is determined (canonical id  
for XRIs vs normalized URL). See section 2.

BTW: Yadis was merged into the XRI resolution spec, where it occupies  
one section that fits into one browser window page and is (in my  
opinion) much easier to read and implement:
http://wiki.oasis-open.org/xri/XriCd02/XrdsDiscoveryFromHttpUris

(We have proof-read it a few weeks ago to make sure it's 100%  
equivalent to the Yadis spec.)


> Also, should I be using / referencing a newer version of the 2.0  
> draft?

Draft 11 is the latest published one.

The notable changes in SVN since draft 11 are:
- realm validation
- identifier recycling
http://openid.net/svn/listing.php?repname=specifications&path=% 
2Fauthentication


Hope this helps,
Johnny

More information about the specs mailing list