[OpenID] XRDS RP discovery when dynamic pages allow logins?
Andrew Arnott
andrewarnott at gmail.com
Mon May 26 01:24:24 UTC 2008
This is great. Thanks everyone who answered!
On Sun, May 25, 2008 at 1:12 PM, Johnny Bufu <johnny.bufu at gmail.com> wrote:
>
> On 05/25/2008 07:33 AM, Andrew Arnott wrote:
>
>> According to the OpenID 2.0 spec (as I read it), the RP discovery feature
>> requires that the return_to URL be found in the XRDS doc published by the RP
>> at the realm URL. However, some sites, such as blogs, allow logging in on
>> virtually every page on the site (thousands). How should this be handled in
>> the XRDS document since it can't be practical to include thousands of
>> potential return_to URLs in the XRDS doc?
>>
>
> This is covered in the spec:
>
> 9.2.1. Using the Realm for Return URL Verification
>
> [...]
>
> To match a return_to URL against a relying party endpoint, use the same
> rules as for matching the return_to URL against the realm, treating the
> relying party's endpoint URL as the realm. Relying party endpoint URLs MUST
> NOT contain a domain wildcard, and SHOULD be as specific as possible.
>
> http://openid.net/specs/openid-authentication-2_0.html#realms
>
>
> Johnny
>
>
--
Andrew Arnott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080525/ce2f56fb/attachment-0001.htm>
More information about the general
mailing list