Difference between 1.0 and 1.1

Kevin Turner kevin at janrain.com
Wed Mar 12 18:00:57 UTC 2008


On Wed, 2008-03-12 at 16:28 +0200, techtonik wrote:
> But 1.1 OpenID server doesn't know anything about openid.ns, because
> it was added only in 2.0  Therefore server fails to authenticate and
> this should be considered a bug in consumer, which should not send
> openid.ns at all. If everything above is right then where is the logic
> and what are the reasons for consumer to send
> openid.ns="http://openid.net/signon/1.1" at all?

Yeah, we discovered that there are people sending openid.ns with v1
messages to myOpenID.  I think the case where this happens most is when
someone has set up their own page with version 1 style delegation, with
a "openid.server" link instead of "openid2.provider".  Then you can get
a v2-capable RP talking to a v2-capable OP, but since the delegation
format is stale, they use v1 messages.  Whereas a real v1 OP may well
just ignore "openid.ns", because it didn't exist, this ns-aware
v2-capable OP tries to inspect it to see what version it is...

and the fact that there are *two* namespaces in the v2 spec for v1
OpenID is sort of a disaster, but both of them are being used in this
way now.  (Drupal was sending whichever one I wasn't expecting...)





More information about the specs mailing list