[OpenID] XRDS RP discovery when dynamic pages allow logins?
SitG Admin
sysadmin at shadowsinthegarden.com
Sun May 25 17:13:20 UTC 2008
>According to the OpenID 2.0 spec (as I read it), the RP discovery
>feature requires that the return_to URL be found in the XRDS doc
>published by the RP at the realm URL. However, some sites, such as
>blogs, allow logging in on virtually every page on the site
>(thousands). How should this be handled in the XRDS document since
>it can't be practical to include thousands of potential return_to
>URLs in the XRDS doc?
I've always thought of that as being part of the transparent (so it
never bothered me to not notice this happening) redirection process;
the *site* (Relying Party) keeps track of where a user was (URL#1),
sends them to their OP (URL#2) with a return_to of that site's
Consuming address (URL#3), and then, when the user gets to URL#3, if
authentication was successful they get an instant redirect straight
back to URL#1 again.
-Shade
More information about the general
mailing list