[OpenID] [Fwd: Re: RP Discovery]

Jack jack at jackpot.uk.net
Fri Aug 31 18:46:49 UTC 2007 

[Sent privately in error; it was meant for the list]

Josh Hoyt wrote:
> On 8/31/07, Jack <jack at jackpot.uk.net> wrote:
>> Draft 12 of the Authentication spec says that an OP SHOULD verify 
>> the RP's return_to by means of YADIS discovery, and SHOULD NOT send
>>  a positive assertion unless this succeeds.
> [snip]
>> Must the RP publish every URL on the site in the XRDS?
> 
> The following sentence from 9.2.1 was intended to address multiple 
> endpoint URLs: """ To match a return_to URL against a relying party 
> endpoint, use the same rules as for matching the return_to URL 
> against the realm, treating the relying party's endpoint URL as the 
> realm. """
> 
> The rules for matching a realm say that any path below the path 
> specified in the realm match. This means that if your XRDS document 
> gives http://example.com/, then 
> http://example.com/a/deep/path?with=dynamically&generated=arguments 
> matches this pattern. We might have to re-word this to make it 
> clearer.

Thanks, I did miss that. It resolves the issue for me (and it's not
unclear, particularly - I just didn't read carefully enough).
> 
> OpenID was not intended to be used for every request to a relying 
> party that the user needs to remain authenticated against. There is 
> too much protocol overhead (several requests) to do this for each 
> request to the relying party. In general, it's expected that sites 
> will use some other mechanism to maintain a session after the initial
>  OpenID authentication, such as setting a cookie.

Yes, of course; it would be crazy to repeat authentication for every
page access. However it's perfectly reasonable to ask that the spec
should support (for example) deep-linked bookmarking of arbitrary
protected pages.

The use-case I have in mind is a wiki (I've strapped my OpenID RP
servlet onto JSPWiki, for demo and testing purposes - see link in sig).
So typically anyone can read a wiki page, but you might be required to
authenticate if you want to Edit. It would be a royal pain to have to
browse back to the page you wanted to edit from (say) the homepage, just
because the site was using OpenID.

-- 
Jack.
http://www.jackpot.uk.net/

More information about the general mailing list