[OpenID] XRI for OP Identifier?

Drummond Reed drummond.reed at cordance.net
Thu Apr 24 19:54:26 UTC 2008 

Jean-Noel,

Now I understand the full context of your original question. The info you
are seeking is in section 7.3.1 of OpenID Authentication 2.0:

*********************************
7.3.1.  Discovered Information

Upon successful completion of discovery, the Relying Party will have one or
more sets of the following information (see the Terminology section
(Terminology) for definitions). If more than one set of the following
information has been discovered, the precedence rules defined in
[XRI_Resolution_2.0] are to be applied.

    * OP Endpoint URL
    * Protocol Version

If the end user did not enter an OP Identifier, the following information
will also be present:

    * Claimed Identifier
    * OP-Local Identifier

If the end user entered an OP Identifier, there is no Claimed Identifier.
For the purposes of making OpenID Authentication requests, the value
"http://specs.openid.net/auth/2.0/identifier_select" MUST be used as both
the Claimed Identifier and the OP-Local Identifier when an OP Identifier is
entered.
*****************************

So the key is that if the user entered an OP Identifier (either a URL, such
as "yahoo.com", or an XRI i-name, such as "@2idi"), the RP uses this only to
discover the XRDS document for the OP so that the RP can find the OP
Endpoint URL in the "OP Identifier Element". This is defined in section
7.3.2.1.1 of the spec:

*****************************
7.3.2.1.1.  OP Identifier Element

An OP Identifier Element is an <xrd:Service> element with the following
information:

        An <xrd:Type> tag whose text content is
"http://specs.openid.net/auth/2.0/server". 
        An <xrd:URI> tag whose text content is the OP Endpoint URL
*****************************

So, in the end, if a user enters an OP identifier (either a URL or an XRI),
it is only used for discovery of the OP Endpoint URL. From that point on,
the OP identifier is not used any further, and thus the fact that an OP that
has an XRI i-name also has a CanonicalID does not really figure into OpenID
Authentication 2.0. (It *does* figure into other trust scenarios involving
OPs, just not OpenID authentication.)

Hope this helps,

=Drummond 


> -----Original Message-----
> From: Jean-Noel Colin [mailto:jn.colin at gmail.com]
> Sent: Thursday, April 24, 2008 11:25 AM
> To: Drummond Reed
> Cc: general at openid.net
> Subject: Re: [OpenID] XRI for OP Identifier?
> 
> Drummond
> 
> THank you so much for your explanation. So the rule is safe, whenever
> XRI is used, CanonicalID is provided.
> 
> This canonical Id is the OP Identifier, right?
> 
>  From what I read in the specs, CanonicalID has to be used as the
> claimedId for the authentication request. But what is the meaning of
> using an OP's canonical ID as the claimedID? I would expect to have in
> the claimedID either a User ID, or the 'identifier_select' value to
> tell the OP to 'help' the user to select the appropriate ID. I don't
> understand the use of the canonical Id in case OP Id is supplied by
> the user instead of User Id
> 
> Thanks a lot
> 
> Jean-Noel
> 
> 
> On 24 Apr 2008, at 17:49, Drummond Reed wrote:
> 
> > Jean-Noel,
> >
> > OPs that are identified with XRIs have CanonicalIDs just like users
> > that are
> > identified with XRIs. The same rule applies -- the user can enter a
> > simple,
> > human-friendly i-name for the OP, and the XRDS document will provide
> > the
> > CanonicalID for the OP.
> >
> > Following is the XRDS for the OP I use (@2idi) for =drummond. You
> > can see
> > that @2idi has the CanonicalID @!E5E4.83AC.F494.8CE4.
> >
> > <XRDS ref="xri://@2idi">
> >   <XRD version="2.0">
> > 	<Query>*2idi</Query>
> > 	<Status ceid="off" cid="verified" code="100"/>
> > 	<Expires>2008-04-24T16:43:09.000Z</Expires>
> > 	<ProviderID>xri://@</ProviderID>
> > 	<LocalID priority="10">!E5E4.83AC.F494.8CE4</LocalID>
> > 	<CanonicalID priority="10">@!E5E4.83AC.F494.8CE4</CanonicalID>
> > 	<Service priority="10">
> > 		<Type>xri://$res*auth*($v*2.0)</Type>
> > 		<URI
> > priority="1">http://xria.authn.info/@livingdirectory/</URI>
> > 	</Service>
> > 	<Service priority="10">
> > 		<Type select="true">http://openid.net/signon/1.0</Type>
> > 		<URI append="none"
> > priority="1">https://2idi.com/openid/</URI>
> > 		<URI append="none"
> > priority="2">http://2idi.com/openid/</URI>
> > 	</Service>
> > 	<Service priority="10">
> > 		<Type match="default"/>
> > 		<Type
> > select="true">xri://+i-service*(+contact)*($v*1.0)</Type>
> > 		<Path select="true">(+contact)</Path>
> > 		<Path match="null"/>
> > 		<URI append="qxri"
> > priority="1">http://2idi.com/contact/</URI>
> > 	</Service>
> >   </XRD>
> > </XRDS>
> >
> > =Drummond
> >
> >> -----Original Message-----
> >> From: general-bounces at openid.net [mailto:general-
> >> bounces at openid.net] On
> >> Behalf Of Jean-Noel Colin
> >> Sent: Thursday, April 24, 2008 2:34 AM
> >> To: general at openid.net
> >> Subject: [OpenID] XRI for OP Identifier?
> >>
> >> Hi
> >>
> >> I have a question regarding the use of XRI as OP Identifier. The
> >> specs
> >> (2.0) mention that whenever an XRI is used as the (user-supplied)
> >> Identifier, the XRDS document retrieved MUST include a canonicalId,
> >> which is to be used as the claimed identifier.
> >>
> >> As a consequence, this means that XRI can not be used as OP
> >> Identifier, otherwise, what would be the value of the canonicalId? So
> >> does this mean that OP Identifier can only be URI that are resolvable
> >> using Yadis (since HTML Resolution is only allowed for user
> >> Identifiers)?
> >>
> >> Thanks for clarifying this
> >>
> >> Best regards
> >>
> >> Jean-Noel Colin
> >> _______________________________________________
> >> general mailing list
> >> general at openid.net
> >> http://openid.net/mailman/listinfo/general
> >

More information about the general mailing list