RFC: Final outstanding issues with the OpenID 2.0 Authentication specification
Boris Erdmann
boris.erdmann at googlemail.com
Fri May 18 07:36:05 UTC 2007
> If these four issues are resolved, can we call the OpenID 2.0
> Authentication specification done? Speak up if you have any other
> show-stoppers.
>
> Josh
Yesterday, Dmitry and I had a long talk about browser support for
OpenID. I think it is consensus between us two to state, that there
are lots of snares for browsers, if there will be no ways for browsers
to detect OPs or even RPs.
As of today browsers are forced to make untenable assumptions to
detect OPs or RPs. Read
http://openid.net/specs/openid-authentication-2_0-11.html#initiation:
"The form field's "name" attribute SHOULD have the value
"openid_identifier" is the only point for a browser to grip the
protocol. (And the field name is different from OpenID1.x)
We also discussed the fact that the spec does not provide any hints
WHEN in the flow of the protocol the RP-OP transition takes place.
It is valid that between entering an openid at an RP site
and redirecting to an OP lots of pages get displayed by the
RP (as part of non sreg registration, for exampe).
OpenID2.0 allowing for POST redirects adds to this.
Therefor hints for robust OP detection would not hurt either.
-- Boris
More information about the specs
mailing list