[OpenID] choosing endpoint after performing discovery on claimed_id from response
James Tindall
james at atomless.com
Tue Jul 22 14:47:08 UTC 2008
Thanks Greg,
I think you're right - but it's possible that more than one endpoint in
the xrds has the same op_endpoint as that supplied in the response - so
it would be necessary to also compare other fields to select the best
matching endpoint. This is making OpenID kind of a protracted process.
=james.tindall
Greg Byrd wrote:
> (1) Section 11.2 says that RP must perform discovery "[i]f the Claimed
> Identifier was not previously discovered." So I think you don't need
> to do that second discovery step in your email. But you said
> stateless mode, so maybe you don't remember that you discovered the ID
> in the first place, so...
>
> (2) The op_endpoint field is returned in id_res, so the verification
> should just check whether any of the OPs returned from discovery match
> the supplied op_endpoint.
>
> ...Greg
>
>
> James Tindall wrote:
>> Suppose a relying party is operating under stateless mode. Suppose
>> also that the discovery phase for the given claimed_id returned more
>> than one endpoint. Then suppose that association attempts failed on
>> at least one of the endpoints but then succeeded on one of the other
>> endpoints further down the priority order. Then upon receiving the
>> authentication (id_res) response from the chosen OP the RP must
>> perform discovery on the claimed_id contained in the response in
>> order to be able to verify the response data against discovered data.
>> But then if, as is probable, the discovery phase again returns more
>> than one endpoint, how is the RP to choose which one to verify the
>> response data against?
>>
>> =james.tindall
>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>
>
>
More information about the general
mailing list