[OpenID] RP Discovery

[Jack]

Hi,

Draft 12 of the Authentication spec says that an OP SHOULD verify the
RP's return_to by means of YADIS discovery, and SHOULD NOT send a
positive assertion unless this succeeds.

I must have misunderstood something; this seems broken. For example, a
user follows a link that would lead to a protected resource at the RP,
so the RP challenges. Successful authentication should take the user
directly to that resource. Suppose there are many such resources? For
example, if the entire site is protected, any URL at the site might be a
valid endpoint. Must the RP publish every URL on the site in the XRDS?

Suppose that the URLs of those resources are dynamically-generated?

-- 
Jack.