[OpenID] choosing endpoint after performing discovery on claimed_id from response

Andrew Arnott andrewarnott at gmail.com
Tue Jul 22 15:20:28 UTC 2008 

As James mentioned, Greg, the spec requires that you verify more than just
the op_endpoint.  In fact 4 fields are listed in the table of section 11.2
that should be equal.  And James, I think these four fields *should* be
enough to narrow the endpoints down to just one.  And even if it didn't, it
might as well be since all the significant data is the same.

On Tue, Jul 22, 2008 at 7:47 AM, James Tindall <james at atomless.com> wrote:

> Thanks Greg,
>
> I think you're right - but it's possible that more than one endpoint in
> the xrds has the same op_endpoint as that supplied in the response - so
> it would be necessary to also compare other fields to select the best
> matching endpoint. This is making OpenID kind of a protracted process.
>
> =james.tindall
>
> Greg Byrd wrote:
> > (1) Section 11.2 says that RP must perform discovery "[i]f the Claimed
> > Identifier was not previously discovered."  So I think you don't need
> > to do that second discovery step in your email.  But you said
> > stateless mode, so maybe you don't remember that you discovered the ID
> > in the first place, so...
> >
> > (2) The op_endpoint field is returned in id_res, so the verification
> > should just check whether any of the OPs returned from discovery match
> > the supplied op_endpoint.
> >
> > ...Greg
> >
> >
> > James Tindall wrote:
> >> Suppose a relying party is operating under stateless mode. Suppose
> >> also that the discovery phase for the given claimed_id returned more
> >> than one endpoint. Then suppose that association attempts failed on
> >> at least one of the endpoints but then succeeded on one of the other
> >> endpoints further down the priority order. Then upon receiving the
> >> authentication (id_res) response from the chosen OP the RP must
> >> perform discovery on the claimed_id contained in the response in
> >> order to be able to verify the response data against discovered data.
> >> But then if, as is probable, the discovery phase again returns more
> >> than one endpoint, how is the RP to choose which one to verify the
> >> response data against?
> >>
> >> =james.tindall
> >>
> >>
> >> _______________________________________________
> >> general mailing list
> >> general at openid.net
> >> http://openid.net/mailman/listinfo/general
> >
> >
> >
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080722/d7296041/attachment-0001.htm>

More information about the general mailing list