[OpenID] XRI for OP Identifier?

Drummond Reed drummond.reed at cordance.net
Fri Apr 25 01:06:41 UTC 2008 

Jean-Noel.

Yes, you have it correct.

Let me add one other note regarding OpenID XRI usage: when users provide an
i-name like =drummond, and the RP maps it to a CanonicalID of
=!F83.62B1.44F.2813 and then sends that i-number as the claimed_id in the
authentication request to the OP, it can lead to a a usability issue at the
OP because the OP doesn't want to greet the user:

	"Hi =!F83.62B1.44F.2813 - do you approve of logging into ABC site?"

The XRI folks talked extensively with the OpenID editors back in the early
days of OpenID 2.0 about having the RP _also_ send the original i-name in
the authentication request so the OP can greet the user by the i-name they
are asserting. But this was rejected for security/complexity reasons.

The XRI folks then realized that there is a simple workaround: configure the
user's OpenID service endpoint as follows (this is from my own XRDS document
for =drummond):

<Service priority="10">
	<Type select="true">http://openid.net/signon/1.0</Type>
	<URI append="qxri" priority="2">http://2idi.com/openid/</URI>
	<URI append="qxri" priority="1">https://2idi.com/openid/</URI>
</Service>

Note the append="qxri" attribute on the URI elements. This tells the RP that
it should append the query XRI to the service endpoint URI. In other words,
the OP Endpoint URIs from the above service endpoint should be:

	http://2idi.com/openid/=drummond
	https://2idi.com/openid/=drummond

and not:

	http://2idi.com/openid/ 
	https://2idi.com/openid/

This way the OP receives the original input XRI (the "query XRI" or qxri) as
part of the OP URL and can simply set up their system to strip this out and
use it as the display identifier to the user.

All it takes to do all this automatically (including the URL construction
above) is to hand the XRI to an XRI 2.0 compliant resolver. For example, the
XDI.org public proxy resolver is currently running such code (the upgraded
OpenXRI code base) at beta.xri.net. Once testing is over (as soon as next
week, but no later than the end of May) it will be migrated to xri.net.

For example, to make a request for the OpenID 1.0 service endpoint URI (if
all you wanted was the URIs) for =drummond, you could just call:

xri.net/=drummond?_xrd_r=text/uri-list&_xrd_t=http://openid.net/signon/1.0

The return is a URI list with:

https://2idi.com/openid/=drummond
http://2idi.com/openid/=drummond

Hope this helps,

=Drummond 

> -----Original Message-----
> From: Jean-Noel Colin [mailto:jn.colin at gmail.com]
> Sent: Thursday, April 24, 2008 1:13 PM
> To: Drummond Reed
> Cc: general at openid.net
> Subject: Re: [OpenID] XRI for OP Identifier?
> 
> Drummond
> 
> 
> Many thanks for your help. This makes it much more clear. Just to be
> sure, to conclude, if user supplies an XRI that is an OP Identifier,
> the canonicalid is not used (for openid purpose) and the claimed_id in
> the authentication request is set to 'identifier_select'; while if
> user supplies an XRI that is a user identifier, the canonicalid is
> used as the claimed id in the authentication request? Is that correct?
> 
> Thanks again
> 
> Jean-Noel
> 
> On 24 Apr 2008, at 21:54, Drummond Reed wrote:
> 
> > Jean-Noel,
> >
> > Now I understand the full context of your original question. The
> > info you
> > are seeking is in section 7.3.1 of OpenID Authentication 2.0:
> >
> > *********************************
> > 7.3.1.  Discovered Information
> >
> > Upon successful completion of discovery, the Relying Party will have
> > one or
> > more sets of the following information (see the Terminology section
> > (Terminology) for definitions). If more than one set of the following
> > information has been discovered, the precedence rules defined in
> > [XRI_Resolution_2.0] are to be applied.
> >
> >    * OP Endpoint URL
> >    * Protocol Version
> >
> > If the end user did not enter an OP Identifier, the following
> > information
> > will also be present:
> >
> >    * Claimed Identifier
> >    * OP-Local Identifier
> >
> > If the end user entered an OP Identifier, there is no Claimed
> > Identifier.
> > For the purposes of making OpenID Authentication requests, the value
> > "http://specs.openid.net/auth/2.0/identifier_select" MUST be used as
> > both
> > the Claimed Identifier and the OP-Local Identifier when an OP
> > Identifier is
> > entered.
> > *****************************
> >
> > So the key is that if the user entered an OP Identifier (either a
> > URL, such
> > as "yahoo.com", or an XRI i-name, such as "@2idi"), the RP uses this
> > only to
> > discover the XRDS document for the OP so that the RP can find the OP
> > Endpoint URL in the "OP Identifier Element". This is defined in
> > section
> > 7.3.2.1.1 of the spec:
> >
> > *****************************
> > 7.3.2.1.1.  OP Identifier Element
> >
> > An OP Identifier Element is an <xrd:Service> element with the
> > following
> > information:
> >
> >        An <xrd:Type> tag whose text content is
> > "http://specs.openid.net/auth/2.0/server".
> >        An <xrd:URI> tag whose text content is the OP Endpoint URL
> > *****************************
> >
> > So, in the end, if a user enters an OP identifier (either a URL or
> > an XRI),
> > it is only used for discovery of the OP Endpoint URL. From that
> > point on,
> > the OP identifier is not used any further, and thus the fact that an
> > OP that
> > has an XRI i-name also has a CanonicalID does not really figure into
> > OpenID
> > Authentication 2.0. (It *does* figure into other trust scenarios
> > involving
> > OPs, just not OpenID authentication.)
> >
> > Hope this helps,
> >
> > =Drummond
> >
> >
> >> -----Original Message-----
> >> From: Jean-Noel Colin [mailto:jn.colin at gmail.com]
> >> Sent: Thursday, April 24, 2008 11:25 AM
> >> To: Drummond Reed
> >> Cc: general at openid.net
> >> Subject: Re: [OpenID] XRI for OP Identifier?
> >>
> >> Drummond
> >>
> >> THank you so much for your explanation. So the rule is safe, whenever
> >> XRI is used, CanonicalID is provided.
> >>
> >> This canonical Id is the OP Identifier, right?
> >>
> >> From what I read in the specs, CanonicalID has to be used as the
> >> claimedId for the authentication request. But what is the meaning of
> >> using an OP's canonical ID as the claimedID? I would expect to have
> >> in
> >> the claimedID either a User ID, or the 'identifier_select' value to
> >> tell the OP to 'help' the user to select the appropriate ID. I don't
> >> understand the use of the canonical Id in case OP Id is supplied by
> >> the user instead of User Id
> >>
> >> Thanks a lot
> >>
> >> Jean-Noel
> >>
> >>
> >> On 24 Apr 2008, at 17:49, Drummond Reed wrote:
> >>
> >>> Jean-Noel,
> >>>
> >>> OPs that are identified with XRIs have CanonicalIDs just like users
> >>> that are
> >>> identified with XRIs. The same rule applies -- the user can enter a
> >>> simple,
> >>> human-friendly i-name for the OP, and the XRDS document will provide
> >>> the
> >>> CanonicalID for the OP.
> >>>
> >>> Following is the XRDS for the OP I use (@2idi) for =drummond. You
> >>> can see
> >>> that @2idi has the CanonicalID @!E5E4.83AC.F494.8CE4.
> >>>
> >>> <XRDS ref="xri://@2idi">
> >>>  <XRD version="2.0">
> >>> 	<Query>*2idi</Query>
> >>> 	<Status ceid="off" cid="verified" code="100"/>
> >>> 	<Expires>2008-04-24T16:43:09.000Z</Expires>
> >>> 	<ProviderID>xri://@</ProviderID>
> >>> 	<LocalID priority="10">!E5E4.83AC.F494.8CE4</LocalID>
> >>> 	<CanonicalID priority="10">@!E5E4.83AC.F494.8CE4</CanonicalID>
> >>> 	<Service priority="10">
> >>> 		<Type>xri://$res*auth*($v*2.0)</Type>
> >>> 		<URI
> >>> priority="1">http://xria.authn.info/@livingdirectory/</URI>
> >>> 	</Service>
> >>> 	<Service priority="10">
> >>> 		<Type select="true">http://openid.net/signon/1.0</Type>
> >>> 		<URI append="none"
> >>> priority="1">https://2idi.com/openid/</URI>
> >>> 		<URI append="none"
> >>> priority="2">http://2idi.com/openid/</URI>
> >>> 	</Service>
> >>> 	<Service priority="10">
> >>> 		<Type match="default"/>
> >>> 		<Type
> >>> select="true">xri://+i-service*(+contact)*($v*1.0)</Type>
> >>> 		<Path select="true">(+contact)</Path>
> >>> 		<Path match="null"/>
> >>> 		<URI append="qxri"
> >>> priority="1">http://2idi.com/contact/</URI>
> >>> 	</Service>
> >>>  </XRD>
> >>> </XRDS>
> >>>
> >>> =Drummond
> >>>
> >>>> -----Original Message-----
> >>>> From: general-bounces at openid.net [mailto:general-
> >>>> bounces at openid.net] On
> >>>> Behalf Of Jean-Noel Colin
> >>>> Sent: Thursday, April 24, 2008 2:34 AM
> >>>> To: general at openid.net
> >>>> Subject: [OpenID] XRI for OP Identifier?
> >>>>
> >>>> Hi
> >>>>
> >>>> I have a question regarding the use of XRI as OP Identifier. The
> >>>> specs
> >>>> (2.0) mention that whenever an XRI is used as the (user-supplied)
> >>>> Identifier, the XRDS document retrieved MUST include a canonicalId,
> >>>> which is to be used as the claimed identifier.
> >>>>
> >>>> As a consequence, this means that XRI can not be used as OP
> >>>> Identifier, otherwise, what would be the value of the
> >>>> canonicalId? So
> >>>> does this mean that OP Identifier can only be URI that are
> >>>> resolvable
> >>>> using Yadis (since HTML Resolution is only allowed for user
> >>>> Identifiers)?
> >>>>
> >>>> Thanks for clarifying this
> >>>>
> >>>> Best regards
> >>>>
> >>>> Jean-Noel Colin
> >>>> _______________________________________________
> >>>> general mailing list
> >>>> general at openid.net
> >>>> http://openid.net/mailman/listinfo/general
> >>>
> >
> >

More information about the general mailing list