[OpenID] Scheme in OP-Local ID

Jack jack at jackpot.uk.net
Sat Sep 8 17:48:31 UTC 2007 

Martin Atkins wrote:
> Jack wrote:
>> The user enters "usersblog.example.com" in the RPs login form, and
>> is then asked to confirm they want to authenticate as 
>> http://user.provider.net/". At least, this is what happens with 
>> myopenid.com - I'm not sure why they don't ask me to confirm my
>> claimed_id.
>> 
> 
> The OP is free to call the user identity whatever it likes in its UI.
>  For example, LiveJournal could reasonably look at one of its own
> URLs like http://frank.livejournal.com/ and refer to the user as
> "frank".

OK - that's what I think - as long as that reference is sufficiently
specific that the user cannot be mistaken about what is being approved.

So a 2.0 OP SHOULD present the user's claimed_id for approval in their
UI? That's not what you're saying, I know - you're saying that the OP
can ask the user to approve whatever string they like. But from a UI
perspective, it seems to me that the claimed_id is what should be
presented for approval.

 From a security perspective, I'm not sure.
> 
> In version 1.1 of OpenID, which is what is widely deployed today, the
> OP wasn't actually ever sent the claimed_id. The thinking behind this
> was that OPs would then be unable to "tell" that they are being
> delegated to, and thus can't make delegation a premium service or
> whatever.
> 
> However, as you've almost certainly seen, the claimed_id is now
> included in the OpenID 2.0 authentication requests in order to
> support some new features in 2.0, and so OPs could now start to use
> the claimed_id in their UI if they wish -- particularly in the XRI
> case you noted.

Yah - and indeed, the XRI provider I'm testing against
(linksafe.ezibroker.net) only offers 1.0 at this time. Perhaps pay-for
users get a nicer id to approve :-)

But the XRI case is notable, because the identifier that is to be
validated MUST be the CanonicalID. Doesn't that mean that in the case of
XRI, the user has to be asked to approve auth-requests by reference to
that CanonicalID? There isn't any other claimed_id anyway, if the OP was
discovered using XRI - the only thing that can be claimed is the
CanonicalID.

I don't see the point of the OP validating something that the user
hasn't explicitly approved (and I suppose that's why it's required that
the id that is validated is the CanonicalID). But that means that if
they use an XRI id, they _can't_ be asked to approve the id they entered
in the RP's login form - it's forbidden by the spec. They have to
approve something else.

-- 
Jack.

More information about the general mailing list