directed identity + HTML discovery: is this right?

Johnny Bufu johnny at sxip.com
Fri May 18 22:21:26 UTC 2007 

On 18-May-07, at 2:19 PM, Peter Watkins wrote:
> [...]
> Would we put the OP-Local Identifier in both openid.claimed_id *and*
> openid.identity?

The user/OP can choose to send the local_id as the claimed  
identifier, or any other claimed identifier that delegates to the  
local_id sent as openid.identity in the response.

> I'm confused about section 10.1's discussion of openid.claimed_id:  
> "Note:
> The end user MAY choose to use an OP-Local Identifier as a Claimed
> Identifier." This reads like a slight restatement of the earlier  
> language
> suggesting users' choosing their own OP-Local Identifier (section  
> 10, "If
> the relying party requested OP-driven identifier selection... the  
> OP SHOULD
> allow the end user to choose which Identifier to use."), but it's  
> subtly
> different and suggests two things to me:
>  1) a user interface requirement on the OP side (the user cannot  
> choose
>     an identifier after the RP authentication request and before the
>     OP's authentication response unless the OP has some sort of user
>     interface to allow the user to make such a choice, so this  
> looks like
>     it might be equivalent to something like  "the OP MUST allow  
> the end
>     user to choose an OP-Local Identifier for use in the response"

It doesn't have to be a MUST. If the user has only one such  
identifier at the OP, there is no choice to be made.

>  2) that the OP might return a Claimed ID of the user's choosing  
> even if
>     the RP did not send the identifier_select identity request param
> Should this read "The OP MAY allow the end user to choose an OP-Local
> Identifier as a Claimed Identifier if there are multiple  
> Identifiers for
> which the end user is authorized to issue authentication responses  
> and the
> relying party requested OP-driven identifier selection by setting
> "openid.identity" to "http://specs.openid.net/auth/2.0/ 
> identifier_select""

The user/OP can choose a OP-local identifier as a claimed identifier  
(different than the one in the request) even if there is only one  
available. Also, "for which the user is authorized to issue  
authentication responses" is part of the definition of an OP-local  
identifier, so I wouldn't put that in.

> Also, this "MAY" language suggests that openid.claimed_id in the  
> response
> can itself be an OP-Local Identifier and differ from the  
> openid.claimed_id
> value that the RP passed in the authentication request. Is that  
> correct?

Yes. This is reinforced in 10.1, openid.identity :

	Note: Relying Parties SHOULD accept and verify assertions about
	Identifiers for which they have not requested authentication. OpenID
	Providers MAY assist the end user in selecting the Claimed and
	OP-Local Identifiers about which the assertion is made.

> In an OpenID 2.0 transaction, if openid.claimed_id and  
> openid.identity in
> the response differ, which value is the RP to use as the user's URL?

The claimed identifier (after verification, of course).


> Could the draft be updated to clarify the uses of these two  
> response items?

I believe this is covered in 11.2 Verifying Discovered Information.


Johnny

More information about the specs mailing list