[OpenID] XRI for OP Identifier?

Jean-Noel Colin jn.colin at gmail.com
Thu Apr 24 20:12:41 UTC 2008 

Drummond


Many thanks for your help. This makes it much more clear. Just to be  
sure, to conclude, if user supplies an XRI that is an OP Identifier,  
the canonicalid is not used (for openid purpose) and the claimed_id in  
the authentication request is set to 'identifier_select'; while if  
user supplies an XRI that is a user identifier, the canonicalid is  
used as the claimed id in the authentication request? Is that correct?

Thanks again

Jean-Noel

On 24 Apr 2008, at 21:54, Drummond Reed wrote:

> Jean-Noel,
>
> Now I understand the full context of your original question. The  
> info you
> are seeking is in section 7.3.1 of OpenID Authentication 2.0:
>
> *********************************
> 7.3.1.  Discovered Information
>
> Upon successful completion of discovery, the Relying Party will have  
> one or
> more sets of the following information (see the Terminology section
> (Terminology) for definitions). If more than one set of the following
> information has been discovered, the precedence rules defined in
> [XRI_Resolution_2.0] are to be applied.
>
>    * OP Endpoint URL
>    * Protocol Version
>
> If the end user did not enter an OP Identifier, the following  
> information
> will also be present:
>
>    * Claimed Identifier
>    * OP-Local Identifier
>
> If the end user entered an OP Identifier, there is no Claimed  
> Identifier.
> For the purposes of making OpenID Authentication requests, the value
> "http://specs.openid.net/auth/2.0/identifier_select" MUST be used as  
> both
> the Claimed Identifier and the OP-Local Identifier when an OP  
> Identifier is
> entered.
> *****************************
>
> So the key is that if the user entered an OP Identifier (either a  
> URL, such
> as "yahoo.com", or an XRI i-name, such as "@2idi"), the RP uses this  
> only to
> discover the XRDS document for the OP so that the RP can find the OP
> Endpoint URL in the "OP Identifier Element". This is defined in  
> section
> 7.3.2.1.1 of the spec:
>
> *****************************
> 7.3.2.1.1.  OP Identifier Element
>
> An OP Identifier Element is an <xrd:Service> element with the  
> following
> information:
>
>        An <xrd:Type> tag whose text content is
> "http://specs.openid.net/auth/2.0/server".
>        An <xrd:URI> tag whose text content is the OP Endpoint URL
> *****************************
>
> So, in the end, if a user enters an OP identifier (either a URL or  
> an XRI),
> it is only used for discovery of the OP Endpoint URL. From that  
> point on,
> the OP identifier is not used any further, and thus the fact that an  
> OP that
> has an XRI i-name also has a CanonicalID does not really figure into  
> OpenID
> Authentication 2.0. (It *does* figure into other trust scenarios  
> involving
> OPs, just not OpenID authentication.)
>
> Hope this helps,
>
> =Drummond
>
>
>> -----Original Message-----
>> From: Jean-Noel Colin [mailto:jn.colin at gmail.com]
>> Sent: Thursday, April 24, 2008 11:25 AM
>> To: Drummond Reed
>> Cc: general at openid.net
>> Subject: Re: [OpenID] XRI for OP Identifier?
>>
>> Drummond
>>
>> THank you so much for your explanation. So the rule is safe, whenever
>> XRI is used, CanonicalID is provided.
>>
>> This canonical Id is the OP Identifier, right?
>>
>> From what I read in the specs, CanonicalID has to be used as the
>> claimedId for the authentication request. But what is the meaning of
>> using an OP's canonical ID as the claimedID? I would expect to have  
>> in
>> the claimedID either a User ID, or the 'identifier_select' value to
>> tell the OP to 'help' the user to select the appropriate ID. I don't
>> understand the use of the canonical Id in case OP Id is supplied by
>> the user instead of User Id
>>
>> Thanks a lot
>>
>> Jean-Noel
>>
>>
>> On 24 Apr 2008, at 17:49, Drummond Reed wrote:
>>
>>> Jean-Noel,
>>>
>>> OPs that are identified with XRIs have CanonicalIDs just like users
>>> that are
>>> identified with XRIs. The same rule applies -- the user can enter a
>>> simple,
>>> human-friendly i-name for the OP, and the XRDS document will provide
>>> the
>>> CanonicalID for the OP.
>>>
>>> Following is the XRDS for the OP I use (@2idi) for =drummond. You
>>> can see
>>> that @2idi has the CanonicalID @!E5E4.83AC.F494.8CE4.
>>>
>>> <XRDS ref="xri://@2idi">
>>>  <XRD version="2.0">
>>> 	<Query>*2idi</Query>
>>> 	<Status ceid="off" cid="verified" code="100"/>
>>> 	<Expires>2008-04-24T16:43:09.000Z</Expires>
>>> 	<ProviderID>xri://@</ProviderID>
>>> 	<LocalID priority="10">!E5E4.83AC.F494.8CE4</LocalID>
>>> 	<CanonicalID priority="10">@!E5E4.83AC.F494.8CE4</CanonicalID>
>>> 	<Service priority="10">
>>> 		<Type>xri://$res*auth*($v*2.0)</Type>
>>> 		<URI
>>> priority="1">http://xria.authn.info/@livingdirectory/</URI>
>>> 	</Service>
>>> 	<Service priority="10">
>>> 		<Type select="true">http://openid.net/signon/1.0</Type>
>>> 		<URI append="none"
>>> priority="1">https://2idi.com/openid/</URI>
>>> 		<URI append="none"
>>> priority="2">http://2idi.com/openid/</URI>
>>> 	</Service>
>>> 	<Service priority="10">
>>> 		<Type match="default"/>
>>> 		<Type
>>> select="true">xri://+i-service*(+contact)*($v*1.0)</Type>
>>> 		<Path select="true">(+contact)</Path>
>>> 		<Path match="null"/>
>>> 		<URI append="qxri"
>>> priority="1">http://2idi.com/contact/</URI>
>>> 	</Service>
>>>  </XRD>
>>> </XRDS>
>>>
>>> =Drummond
>>>
>>>> -----Original Message-----
>>>> From: general-bounces at openid.net [mailto:general-
>>>> bounces at openid.net] On
>>>> Behalf Of Jean-Noel Colin
>>>> Sent: Thursday, April 24, 2008 2:34 AM
>>>> To: general at openid.net
>>>> Subject: [OpenID] XRI for OP Identifier?
>>>>
>>>> Hi
>>>>
>>>> I have a question regarding the use of XRI as OP Identifier. The
>>>> specs
>>>> (2.0) mention that whenever an XRI is used as the (user-supplied)
>>>> Identifier, the XRDS document retrieved MUST include a canonicalId,
>>>> which is to be used as the claimed identifier.
>>>>
>>>> As a consequence, this means that XRI can not be used as OP
>>>> Identifier, otherwise, what would be the value of the  
>>>> canonicalId? So
>>>> does this mean that OP Identifier can only be URI that are  
>>>> resolvable
>>>> using Yadis (since HTML Resolution is only allowed for user
>>>> Identifiers)?
>>>>
>>>> Thanks for clarifying this
>>>>
>>>> Best regards
>>>>
>>>> Jean-Noel Colin
>>>> _______________________________________________
>>>> general mailing list
>>>> general at openid.net
>>>> http://openid.net/mailman/listinfo/general
>>>
>
>

More information about the general mailing list