XRI forwarding and OpenID (was RE: The Wiki, iNames and OpenID accounts)

[Drummond Reed]

I know Chris Drake already provided one detailed explanation of Avery's
original question (below), but it led to some offlist discussion among the
XRI crowd about how XRI forwarding and how it works with OpenID that I think
would be good to share back with the list, since this topic is likely to
come up again.

 

What Avery was doing (which is really quite clever) is using the indirection
capability of XRIs that's available either via XRI resolvers and XRDS
documents (faster but harder to configure), or via a standardized XRI
service called forwarding service (slower but easy to configure). For more
details of forwarding service, see
http://iss.xdi.org/moin.cgi/ForwardingService). Note that both produce the
same result - redirection of a "forwarding XRI" to a "target URI". 

 

What Avery was trying to do was give a relying party the forwarding XRI,
"=avery/(+myopenid)" that his forwarding service redirects to
http://aglasser.myopenid.com <http://aglasser.myopenid.com/> . As long as
the relying party does XRI resolution of "=avery/(+myopenid)" (it doesn't
matter whether the relying party uses a local XRI resolver or a proxy XRI
resolver, the results will be the same), the XRI resolver should return a
redirect to http://aglasser.myopenid.com <http://aglasser.myopenid.com/> .
An HTTP GET to http://aglasser.myopenid.com <http://aglasser.myopenid.com/>
with a content type of application/xrds+xml should return a valid XRDS
document (right Josh?)

 

Therefore everything should work correctly just by Avery entering
"=avery/(+myopenid)" at the RP. Things should ALSO work correctly if Avery
enters the full HXRI (HTTP XRI) version of this XRI, i.e.,
http://xri.net/=avery/(+myopenid), because the relying party code should
simply be doing a HTTP GET on this URL with content type of
application/xrds+xml, receive back a redirect to
http://aglasser.myopenid.com <http://aglasser.myopenid.com/> , and then do
the same request against that URL and receive back the authoritative XRDS.

 

Thus if I understand OpenID Authentication 2.0 Draft 10 correctly, if Avery
enters "=avery" at the RP, this will result Avery's Claimed Identifier at
the RP being the synonymous persistent i-number "=!5E1B.7A93.6A96.8C0A".
However if Avery enters "=avery/(+myopenid)" at the RP, it will result in
Avery's Claimed Identifier at the RP being the final redirect URL of
"http://aglasser.myopenid.com <http://aglasser.myopenid.com/> ". 

 

Now, the question of why this does-or-does-not work at a particular RP at
this particular point in time has everything to do with: a) what OpenID
client library version is running at the RP (in this case openid.net), b)
what XRI proxy resolver is being called (in this case xri.net), and c) what
code is running at Avery's XRI forwarding service (in this case 1id.com). I
suspect Chris Drake's diagnosis
(http://openid.net/pipermail/general/2006-October/000463.html) is correct
with regard to how that is/isn't working right now. However once we get all
the component lined up and working correctly, this should all work as
detailed above.

 

Us XRI geeks have the action item to work with the OpenID spec teams and
OpenID client library implementation teams to make sure XRI parsing and
resolution is handled correctly, no matter whether it uses local or proxy
XRI resolvers. We also have the action item to create an "Using XRI with
OpenID FAQ" for the new OpenID wiki so we make it easy for developers, RPs,
and IdPs to use XRI i-names and i-numbers with OpenID.

 

Please don't hesitate to ask any other XRI questions or give us any other
XRI feedback via any of the OpenID lists.

 

=Drummond 

 

  _____  

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Avery Glasser
Sent: Wednesday, October 25, 2006 11:42 PM
To: general at openid.net
Subject: The Wiki, iNames and OpenID accounts

 



Ok,

This will probably go down in the history of silly things I have thought
about at 11pm...

I have an iname through 1id.com (=avery). I set up as a tag, a reference to
my usual OpenID URL =avery(+myopenid). Going to
http://xri.net/=avery/(+myopenid) properly resolves my my myopenid.com
account.

Why would I do such a silly thing? Because I established
aglasser.myopenid.com well before I registered my iname.

I tried to log into the OpenID.net/wiki using:
  =avery+myopenid
  =avery(+myopenid)
  =avery/(+myopenid)
  http://xri.net/=avery/(+myopenid)

My assumption is that when the wiki attempted to resolve the iname for
authentication, it would resolve to aglasser.myopenid.com. Each time, it
kicked back a failure. Of course, going in with =avery worked fine. Going in
with aglasser.myopenid.com worked fine as well.

This leads to an interesting set of thoughts - at least interesting for this
time of day...

1) As http://xri.net/=avery/(+myopenid) resolves to aglasser.myopenid.com -
shouldn't this work as a valid OpenID Identity URL?

2) If the answer to #1 is yes, shouldn't I be able to use =avery(+myopenid)
as a valid iname for authenticating to the wiki?

3) More fundamental (and probably out of scope for this group), shouldn't an
inames registrar allow one to set a default OpenID Identity URL independent
of the iname account?



- Avery

 

-- 
==============================
Avery Glasser
VxV Solutions, Inc.

+ 1.415.992.7264 - office
+ 1.415.290.1400 - mobile
+ 1.415.651.9218 - fax


329 Bryant Street, Suite 2D
San Francisco, CA 94107
==============================

This e-mail (including any attachments), is confidential and intended only
for the use of the addressee(s). It may contain information covered by
legal, professional or other privilege. If you are not an addressee, please
inform the sender immediately and destroy this e-mail. Do not copy, forward,
use or disclose this e-mail. Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061029/681d1bc3/attachment-0002.htm>