[OpenID] The delegation story in OpenID 2.0

Martin Atkins mart at degeneration.co.uk
Fri Jan 19 17:59:06 UTC 2007

Simon Willison wrote:
> On 18 Jan 2007, at 23:07, Johnny Bufu wrote:
>> You can use both the v1 and v2 tags to point your URL Identifier to
>> the same server (if it implements both v1 and v2 protocols). This is
>> the example in the spec:
>>> <link rel="openid2.provider openid.server"
>>>       href="http://www.livejournal.com/openid/server.bml"/>
>>> <link rel="openid2.local_id openid.delegate"
>>>       href="http://exampleuser.livejournal.com/"/>
> This looks risky to me. The backwards compatibility with v1 relies on  
> existing implementations parsing the link rel attribute correctly -  
> actually treating it as a list of space separated identifiers as  
> opposed to just looking for something that matches  
> 'rel="openid.server"'. Does anyone know if there are existing  
> consumer libraries which are likely to choke on this new format?

I had the same thought when I saw this yesterday, knowing that Brad's 
original OpenID Consumer library parses using regexes. However, the code 
there just looks for a <link > tag containing rel= followed by 
openid.server. The following nonsense would even match:

     <link rel=,href="http://openid.server/">

The JanRain PHP consumer library has a marginally better parser which 
explicitly locates the rel attribute and splits it on spaces before 
matching. I assume the other JanRain libraries do similarly since I 
believe they were all basically just ports from a common source. (The 
Python version?)

Brad's library and the JanRain libraries represent a large proportion of 
the deployed consumers, I believe. In short, I don't think we have *too* 
much to worry about.

More information about the general mailing list