Hi folks,<div><br></div><div>I'm running into a devil of a problem with my OP, that I can't seem to get solved and straight.</div><div><br></div><div>Background:</div><div>I run a OP for cooperative extension personnel across the country. Most of our use is for white-listed directed identity login for internal hosts. But we do have some land-grants that have implemented RP's using our OpenID - and our moodle provider that's using a hacked-up directed mode.</div>
<div><br></div><div>Our host, <a href="http://people.extension.org" target="_blank">people.extension.org</a> is using a somewhat modified ruby server implementation (it has some bugs in IDP xrds discovery that I've fixed). We are in the process of merging way too many different Rails applications into one - and the short of it is, I am going to be trying to redirect requests from <a href="https://people.extension.org/%5Bperson's_id_string%5D" target="_blank">https://people.extension.org/[person's_id_string]</a> to <a href="https://www.extension.org/people/%5Bperson's_id_string%5D" target="_blank">https://www.extension.org/people/[person's_id_string]</a> - but still trying to maintain the use of <a href="https://people.extension.org/%5Bperson's_id_string%5D" target="_blank">https://people.extension.org/[person's_id_string]</a> as the claimed_id.</div>
<div><br></div><div>Current situation</div><div>Minus the SSL part for now, and using demo hosts (<a href="http://people.demo.extension.org" target="_blank">people.demo.extension.org</a> and <a href="http://pubsitedev.extension.org" target="_blank">pubsitedev.extension.org</a>) I can happily redirect all day long - but only if I return <a href="http://pubsitedev.extension.org/people/%5Bperson's_id_string%5D" target="_blank">http://pubsitedev.extension.org/people/[person's_id_string]</a> as the claimed_id - which I could get away with with the internal hosts, but the third parties need to have <a href="https://people.extension.org/%5Bperson's_id_string%5D" target="_blank">https://people.extension.org/[person's_id_string]</a> (or <a href="http://people.demo.extension.org/%5Bperson's_id_string%5D" target="_blank">http://people.demo.extension.org/[person's_id_string]</a> for this demo case)</div>
<div><br></div><div>I've followed the appendix examples - my XRDS includes <a href="http://pubsitedev.extension.org/people/%5Bperson's_id_string%5D" target="_blank">http://pubsitedev.extension.org/people/[person's_id_string]</a> as the LocalID. The endpoints are right. My request.answer has</div>
<div><br></div><div> identity = <a href="http://pubsitedev.extension.org/people/%5Bperson's_id_string%5D" target="_blank">http://pubsitedev.extension.org/people/[person's_id_string]</a></div><div><br></div><div>and</div>
<div><br></div>
<div><a href="http://claimed.id" target="_blank">claimed.id</a> = <a href="http://people.demo.extension.org/%5Bperson's_id_string%5D" target="_blank">http://people.demo.extension.org/[person's_id_string]</a></div>
<div><br></div><div>The problem appears that during the followup discovery done when those are different, that during the Yadis discovery, it picks up the target URL of the XRDS document. That is - when at the Apache level, I redirect:</div>
<div><br></div><div><div> RewriteCond %{HTTP_HOST} ^people\.demo\.extension\.org [NC]</div><div> RewriteRule ^/(.*) <a href="http://pubsitedev.extension.org/people/$1" target="_blank">http://pubsitedev.extension.org/people/$1</a> [L,R=permanent]</div>
<div><br></div><div>In discovery, when it goes and gets the service endpoint's claimed_id it appears to pick it up from the 'yadis_url' - that is the URL of the end target of discovery done on the claimed_id. So when I redirect <a href="http://people.demo.extension.org/%5Bperson's_id_string%5D" target="_blank">http://people.demo.extension.org/[person's_id_string]</a> to <a href="http://pubsitedev.extension.org/people/%5Bperson's_id_string%5D" target="_blank">http://pubsitedev.extension.org/people/[person's_id_string]</a> - it picks up the pubsitedev URL as the claimed_id - which fails the comparison (PHP consumer)</div>
<div><br></div><div><div> if ($defragged_claimed_id != $endpoint->claimed_id) { </div><div> return new Auth_OpenID_FailureResponse($endpoint,</div><div> sprintf('Claimed ID does not match (different subjects!), ' .</div>
<div> 'Expected %s, got %s', $defragged_claimed_id,</div><div> $endpoint->claimed_id));</div><div><br></div><div><br></div><div>Sooo.... I'm guessing there's no good way around this? I eventually need to get these to transition, and the redirects seemed to be the best way to make that happen - but there seems to be no good way to push everything to the new host, maintain all the "user-visible" portions of this (the user's openid endpoint serves double duty as a profile page: e.g. <a href="https://people.extension.org/jayoung">https://people.extension.org/jayoung</a> ) and then make sure that RP's have the original claimed_id.</div>
<div><br></div><div>Or am I completely missing something here that I could be doing to pull this off? I've gone through the spec, and I've gone through the code, and even broken out wireshark - but very admittedly, I'm backing into this a bit as someone that just wants to use the API and have it "just work" ;-)</div>
<div><br></div><div>At the moment, I'm looking at having to figure out some way to possibly not rewrite discovery requests, but rewrite everything else. Or just run the application with a Proxy redirect (or run two copies at two different vhosts).</div>
<div><br></div><div>I'm assuming someone else here has done similar as they figured out they wanted different OpenID identifiers - what did you do?</div><div><br></div><div>Jason</div></div></div><div>-- <br>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
Jason Young -- Systems Manager, eXtension<br><a href="http://about.extension.org/wiki/Jason_Young" target="_blank">http://about.extension.org/wiki/Jason_Young</a><br>______________________________________<br>
<br><br>
</div>