No subject
Tue Apr 24 11:52:11 UTC 2007
(according to and satisfying the Consumer's SSL key management policy)
the "final URL" is https://peteraccount.rapdata.com/ . This string,
furthermore, is the "final, canonicalized URL" ( in the absence of an
openid.delegated link field value in the HTML document delivered over
https). This is thus the "End User's Identifier".
------------
Lets continue the thought experiment:-
Lets say the that openid.server link value is
https://login.rapmlsstg.com/sp/SsoHandler.aspx. We can note that this
URL has little formal relationship to the End User's Identifier
https://peteraccount.rapdata.com/=20
Nevertheless, the consumer can now expect to find an OP Provider
listener at that link value URL. If this is true, the consumer agent and
provider agent then engage in the "OpenID Authentication Protocol".
In the course of completing the protocol, the provider agent will
normally be required to perform BY MEANS BEYOND THE SCOPE OF OPENID AUTH
SPEC, user authentication - before it supplies the "cryptographic proof"
that a user controls the End User's Identifier. After following some
series of locally-defined redirects to a form-login page, users might
perform this by completing the action of typing in a correct
username/password combination.
Is there any flaw in my understanding, in any of the above?=20
Are the example's "complying"?
=20
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list