Question on Authentication Request

Josh Hoyt josh at janrain.com
Wed Oct 18 17:39:48 UTC 2006 

On 10/18/06, Prasanta Behera <pbehera at yahoo-inc.com> wrote:
> How does this work?
>
> For authentication request where
> openid.identity="http://openid.net/identifier_select/2.0"
>
> What is the user claimed Identifier?
>
> How does a RP discover the IdP?

This feature is called "IdP-driven identifier selection." Its purpose
is to allow the IdP to help the user choose an appropriate identifier
for the given transaction. For instance, the user might want to use an
identifier that is unique to the site requesting authentication, and
the IdP can keep track of those identifiers.

The relying party does not send a claimed identifier. Instead, it
sends a request (with openid.identity set to identifier select) that
indicates that the IdP can make a claim about any identifier.

It is important to note that in this case, the relying party is
responsible for confirming the claim that the IdP makes by comparing
it to the discovered information.

Here's an example that I hope will help:

The user enters "myidp.com" into the OpenID initiation form:

   Enter your OpenID: [ myidp.com ]

The relying party does discovery, and gets back an XRDS document with
something like:

  <xrds:XRDS>
   <XRD>
    <Service>
     <Type>http://openid.net/server/2.0</Type>
     <URI>http://myidp.com/server</URI>
    </Service>
   </XRD>
  </xrds:XRDS>

The "http://openid.net/server/2.0" tells the relying party that this
is an IdP-driven identifier selection case, so the relying party fills
in "http://openid.net/identifier_select/2.0" as "openid.identity" in
the request to the IdP.

It is at this point that the IdP selects an identifier. As part of
this process, it can generate new, pseudonymous, identifiers, like
"http://myidp.com/pseudo/4ef833a43" or do any other user interaction
it desires.

For this example, let's assume that the user wants to be known as his
global identifier. The IdP then sends back a response, with
openid.identity set to, for instance, "http://bbehera.myidp.com/".

The relying party then checks the signature on the response, and if it
is good, it does discovery on "http://bbehera.myidp.com/". The result
of that discovery will be something like:

  <xrds:XRDS>
   <XRD>
    <Service>
     <Type>http://openid.net/signon/2.0</Type>
     <URI>http://myidp.com/server</URI>
    </Service>
   </XRD>
  </xrds:XRDS>

The important parts of this result are:

1. The Type indicates that this XRDS document is for a user rather than an IdP
2. The URI element matches the IdP from the IdP that sent the response.

Does that example and explanation clarify things?

Josh

More information about the general mailing list