OpenID 3.0
James Henstridge
james at jamesh.id.au
Mon Feb 4 03:23:26 UTC 2008
On 04/02/2008, Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org> wrote:
> > James Henstridge wrote:
> > Of course, the OP is restricted to returning identities that it is
> > authoritative for. This is what allows any yahoo user to enter
> > "yahoo.com" as their OpenID identifier while still letting RPs tell
> > them apart.
>
> Right, that's what I thought...What does it have to return however?
> Is it enough to return [openid_identity] => https://somenick.domain.com/,
> [openid_claimed_id] => https://domain.com/ ?
That is possible provided that performing discovery on
https://domain.com/ gives you https://somenick.domain.com/ as the OP
local identifier and uses the given OP.
When selecting an identifier, the OP chooses both the local identifier
(openid.identifier) and claimed ID (openid.claimed_id).
> > My point was that in cases where you do want to limit things to a
> > single OP, it is worth considering this mode, since it does not
> > require the user to enter any credentials (username or password) at
> > the RP site.
>
> Yes, that is rather easy. Somewhat more tricky gets when you want to
> use a group of providers and ban certain providers. All doable, but not
> standardized yet....e.g. white/black lists.
As Kevin said, you can always apply that kind of policy at the end of
authentication process. You can do that with either OpenID 1.x or
2.0.
James.
More information about the specs
mailing list