[OpenID] Verifying CanonicalIDs (was RE: Weighing In on TechCrunch's "Is OpenID BeingExploited...)
Tan, William
William.Tan at neustar.biz
Thu Mar 27 17:58:32 UTC 2008
Johnny Bufu wrote:
>
> On 26-Mar-08, at 4:13 AM, Markus Sabadello wrote:
>
>> I have come across the openid4java message "ProviderID is not
>> authoritative
>> for the CanonicalID" a few times too. In fact, the method in question,
>> Discovery.isProviderAuthoritative(), specifically mentions in a
>> comment that
>> it doesn't work with community i-names.
>>
>> Now we could fix that method, but as Drummond points out, CanonicalID
>> Verification is already built into XRI Resolution 2.0, so the whole
>> Discovery.isProviderAuthoritative() method can go away.
>>
>> All that openid4java has to do is check the "cid" attribute of the
>> <Status>
>> element of the final XRD.. It says either "verified" or "failed" or
>> "absent".
>
> That's great news! Would you be able to provide a patch, or is there
> support in an updated open-xri library for this?
>
> There's actually an open issue for this that has been waiting for a
> while:
> http://code.google.com/p/openid4java/issues/detail?id=17
Currently, this feature is available on http://alpha.xri.net/proxy/ and
will be moved to http://beta.xri.net/ soon. However, yes, the new
OpenXRI (SVN trunk) does support it so you don't really have to wait for
the proxies to be updated. We'll work together to get a patch into
OpenID4Java.
=wil
More information about the general
mailing list