OpenID Email Discovery
James Henstridge
james at jamesh.id.au
Fri Jan 4 01:19:09 UTC 2008
On 04/01/2008, Eran Hammer-Lahav <eran at hueniverse.com> wrote:
> (The full story is posted at
> http://www.hueniverse.com/hueniverse/2008/01/addressing-open.html
> but this contains the technical parts of the post).
A few questions come to mind here:
1. there is no fundamental reason why you couldn't use something like
"mailto:joe at example.com" as the openid.identity or openid.claimed_id
in an authentication response: all that is missing is a way to perform
discovery on such a URI.
Your proposal seems to involve mapping from email address to an HTTP
URI and then performing discovery according to the current standard.
Have you considered methods of discovery that don't need an
intermediate HTTP URI?
2. Your idea requires a moderately complex rule parser in RPs. Does
this offer much value? For the use case in your article (users who
don't care about OpenID but want to use their email address to log
in), there doesn't seem much cause for per-user rules. Could you get
away with a single endpoint URL for the domain?
Of course, this doesn't close off per-user delegation completely: you
can always delegate during the authentication request phase rather
than discovery phase.
James.
More information about the specs
mailing list