[OpenID] The delegation story in OpenID 2.0

Martin Atkins mart at degeneration.co.uk
Fri Jan 19 08:06:11 UTC 2007

Dmitry Shechtman wrote:
> Johnny,
> Although it doesn't seem like TOTAL nonsense, I find this justification
> somewhat questionable.
> If Joe Blogger is an OP, his OpenID server should have XRDS. If he is
> delegating, he should follow the OP's instructions, which would probably
> include remote XRDS (in addition to the good old openid links).
> Maybe this belongs in another mailing list (which I am not a member of).

Unfortunately, since the OpenID bindings for XRDS don't *require* the 
"OP-local identifier" (formerly known as openid:Delegate) to be 
specified in all OpenID Service elements, most providers aren't going to 
include it in *their own* XRDS documents and so they will be unsuitable 
for linking from off-site.

However, I agree with you that in the ideal case you'd just do (for example)

<meta http-equiv="X-XRDS-Location"

...and it would already have inside it the necessary delegate information.

The problem is that even if OpenID's Service element *did* have a 
mandatory OP-local identifier, other services declared in the XRDS file 
likely would not, so you'd be declaring services on your blog but the 
endpoint wouldn't recognise your blog as a valid identifier. Therefore 
you must either limit the provider's XRDS file to contain only services 
that support delegation in some sense, or write your own XRDS file *in 
addition* to your provider's which includes only OpenID and other 
services which support delegation.

More information about the general mailing list