[OpenID] The delegation story in OpenID 2.0
Martin Atkins
mart at degeneration.co.uk
Fri Jan 19 08:06:11 UTC 2007
Dmitry Shechtman wrote:
> Johnny,
>
> Although it doesn't seem like TOTAL nonsense, I find this justification
> somewhat questionable.
>
> If Joe Blogger is an OP, his OpenID server should have XRDS. If he is
> delegating, he should follow the OP's instructions, which would probably
> include remote XRDS (in addition to the good old openid links).
>
> Maybe this belongs in another mailing list (which I am not a member of).
>
Unfortunately, since the OpenID bindings for XRDS don't *require* the
"OP-local identifier" (formerly known as openid:Delegate) to be
specified in all OpenID Service elements, most providers aren't going to
include it in *their own* XRDS documents and so they will be unsuitable
for linking from off-site.
However, I agree with you that in the ideal case you'd just do (for example)
<meta http-equiv="X-XRDS-Location"
content="http://www.myprovider.com/meta.xrds">
...and it would already have inside it the necessary delegate information.
The problem is that even if OpenID's Service element *did* have a
mandatory OP-local identifier, other services declared in the XRDS file
likely would not, so you'd be declaring services on your blog but the
endpoint wouldn't recognise your blog as a valid identifier. Therefore
you must either limit the provider's XRDS file to contain only services
that support delegation in some sense, or write your own XRDS file *in
addition* to your provider's which includes only OpenID and other
services which support delegation.
More information about the general
mailing list