[OpenID] choosing endpoint after performing discovery on claimed_id from response
Greg Byrd
gbyrd at ncsu.edu
Tue Jul 22 13:56:34 UTC 2008
(1) Section 11.2 says that RP must perform discovery "[i]f the Claimed
Identifier was not previously discovered." So I think you don't need to do that
second discovery step in your email. But you said stateless mode, so maybe you
don't remember that you discovered the ID in the first place, so...
(2) The op_endpoint field is returned in id_res, so the verification should just
check whether any of the OPs returned from discovery match the supplied op_endpoint.
...Greg
James Tindall wrote:
> Suppose a relying party is operating under stateless mode. Suppose also
> that the discovery phase for the given claimed_id returned more than one
> endpoint. Then suppose that association attempts failed on at least one
> of the endpoints but then succeeded on one of the other endpoints
> further down the priority order. Then upon receiving the authentication
> (id_res) response from the chosen OP the RP must perform discovery on
> the claimed_id contained in the response in order to be able to verify
> the response data against discovered data. But then if, as is probable,
> the discovery phase again returns more than one endpoint, how is the RP
> to choose which one to verify the response data against?
>
> =james.tindall
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list