[OpenID] OpenID provider with gibberish identity URLs to avoid nickname change issues
Rowan Kerr
rowan at sxip.com
Wed May 30 13:07:10 UTC 2007
On 29-May-07, at 2:44 PM, Josh Hoyt wrote:
> There are two problems with trying to do this with OpenID 1.1. First,
> you can't do the redirection on a per-relying-party basis, because you
> don't know who the relying party is when they request the identity
> URL.
It could possibly be worked into the "discovery" step since that
requires following redirects ... if the RP set a referrer header
when it made the discovery request, the OP could leverage that.
> Second, the OpenID 1.1 specification does not allow for returning
> a different identifier than the one that was requested.
What part of the spec prevents it? I don't see anywhere that says
the Verified Identifier must be the same as the Claimed Identifier.
> Support for directed identity is one of the key features of OpenID
> 2.0. If you implement OpenID 2.0, your users will enter the URL for
> your provider, and the provider will get a request for identifier
> selection. It's up to the provider and the user at that point to
> choose or generate a URL to send in the response.
I agree that this would be the preferred way to do it.
-Rowan
More information about the general
mailing list