[OpenID] XRDS RP discovery when dynamic pages allow logins?
Johnny Bufu
johnny.bufu at gmail.com
Sun May 25 20:12:41 UTC 2008
On 05/25/2008 07:33 AM, Andrew Arnott wrote:
> According to the OpenID 2.0 spec (as I read it), the RP discovery
> feature requires that the return_to URL be found in the XRDS doc
> published by the RP at the realm URL. However, some sites, such as
> blogs, allow logging in on virtually every page on the site
> (thousands). How should this be handled in the XRDS document since it
> can't be practical to include thousands of potential return_to URLs in
> the XRDS doc?
This is covered in the spec:
9.2.1. Using the Realm for Return URL Verification
[...]
To match a return_to URL against a relying party endpoint, use the same
rules as for matching the return_to URL against the realm, treating the
relying party's endpoint URL as the realm. Relying party endpoint URLs
MUST NOT contain a domain wildcard, and SHOULD be as specific as possible.
http://openid.net/specs/openid-authentication-2_0.html#realms
Johnny
More information about the general
mailing list