[OpenID] Verifying CanonicalIDs (was RE: Weighing In on TechCrunch's "Is OpenID BeingExploited...)
Johnny Bufu
johnny at sxip.com
Thu Mar 27 17:42:26 UTC 2008
On 26-Mar-08, at 4:13 AM, Markus Sabadello wrote:
> I have come across the openid4java message "ProviderID is not
> authoritative
> for the CanonicalID" a few times too. In fact, the method in question,
> Discovery.isProviderAuthoritative(), specifically mentions in a
> comment that
> it doesn't work with community i-names.
>
> Now we could fix that method, but as Drummond points out, CanonicalID
> Verification is already built into XRI Resolution 2.0, so the whole
> Discovery.isProviderAuthoritative() method can go away.
>
> All that openid4java has to do is check the "cid" attribute of the
> <Status>
> element of the final XRD.. It says either "verified" or "failed" or
> "absent".
That's great news! Would you be able to provide a patch, or is there
support in an updated open-xri library for this?
There's actually an open issue for this that has been waiting for a
while:
http://code.google.com/p/openid4java/issues/detail?id=17
Thank you,
Johnny
More information about the general
mailing list