[OpenID] The delegation story in OpenID 2.0
Martin Atkins
mart at degeneration.co.uk
Fri Jan 19 17:59:06 UTC 2007
Simon Willison wrote:
> On 18 Jan 2007, at 23:07, Johnny Bufu wrote:
>
>> You can use both the v1 and v2 tags to point your URL Identifier to
>> the same server (if it implements both v1 and v2 protocols). This is
>> the example in the spec:
>>
>>> <link rel="openid2.provider openid.server"
>>> href="http://www.livejournal.com/openid/server.bml"/>
>>> <link rel="openid2.local_id openid.delegate"
>>> href="http://exampleuser.livejournal.com/"/>
>
> This looks risky to me. The backwards compatibility with v1 relies on
> existing implementations parsing the link rel attribute correctly -
> actually treating it as a list of space separated identifiers as
> opposed to just looking for something that matches
> 'rel="openid.server"'. Does anyone know if there are existing
> consumer libraries which are likely to choke on this new format?
>
I had the same thought when I saw this yesterday, knowing that Brad's
original OpenID Consumer library parses using regexes. However, the code
there just looks for a <link > tag containing rel= followed by
openid.server. The following nonsense would even match:
<link rel=,href="http://openid.server/">
The JanRain PHP consumer library has a marginally better parser which
explicitly locates the rel attribute and splits it on spaces before
matching. I assume the other JanRain libraries do similarly since I
believe they were all basically just ports from a common source. (The
Python version?)
Brad's library and the JanRain libraries represent a large proportion of
the deployed consumers, I believe. In short, I don't think we have *too*
much to worry about.
More information about the general
mailing list