Difference between 1.0 and 1.1
Kevin Turner
kevin at janrain.com
Wed Mar 12 18:00:57 UTC 2008
On Wed, 2008-03-12 at 16:28 +0200, techtonik wrote:
> But 1.1 OpenID server doesn't know anything about openid.ns, because
> it was added only in 2.0 Therefore server fails to authenticate and
> this should be considered a bug in consumer, which should not send
> openid.ns at all. If everything above is right then where is the logic
> and what are the reasons for consumer to send
> openid.ns="http://openid.net/signon/1.1" at all?
Yeah, we discovered that there are people sending openid.ns with v1
messages to myOpenID. I think the case where this happens most is when
someone has set up their own page with version 1 style delegation, with
a "openid.server" link instead of "openid2.provider". Then you can get
a v2-capable RP talking to a v2-capable OP, but since the delegation
format is stale, they use v1 messages. Whereas a real v1 OP may well
just ignore "openid.ns", because it didn't exist, this ns-aware
v2-capable OP tries to inspect it to see what version it is...
and the fact that there are *two* namespaces in the v2 spec for v1
OpenID is sort of a disaster, but both of them are being used in this
way now. (Drupal was sending whichever one I wasn't expecting...)
More information about the specs
mailing list