[OpenID] RP Discovery
Josh Hoyt
josh at janrain.com
Fri Aug 31 14:58:56 UTC 2007
On 8/31/07, Jack <jack at jackpot.uk.net> wrote:
> Draft 12 of the Authentication spec says that an OP SHOULD verify the
> RP's return_to by means of YADIS discovery, and SHOULD NOT send a
> positive assertion unless this succeeds.
[snip]
> Must the RP publish every URL on the site in the XRDS?
The following sentence from 9.2.1 was intended to address multiple
endpoint URLs:
"""
To match a return_to URL against a relying party endpoint, use the
same rules as for matching the return_to URL against the realm,
treating the relying party's endpoint URL as the realm.
"""
The rules for matching a realm say that any path below the path
specified in the realm match. This means that if your XRDS document
gives http://example.com/, then
http://example.com/a/deep/path?with=dynamically&generated=arguments
matches this pattern. We might have to re-word this to make it
clearer.
OpenID was not intended to be used for every request to a relying
party that the user needs to remain authenticated against. There is
too much protocol overhead (several requests) to do this for each
request to the relying party. In general, it's expected that sites
will use some other mechanism to maintain a session after the initial
OpenID authentication, such as setting a cookie. There is nothing in
the specification that forbids the usage that I think you're
suggesting, but I expect you'll find that things go more smoothly and
make more sense if you think of OpenID as a means for establishing an
authenticated session instead of a means for authenticating a request.
Josh
More information about the general
mailing list