[OpenID] Problems with delegation and directed identity OPs

Deron Meranda deron.meranda at gmail.com
Thu Nov 6 16:59:07 UTC 2008 

I am trying to use delegation with OPs that use directed identities and
I'm having problems getting it to work.

I want to use my own domain as my claimed identity
<'http://deron.meranda.us/'>, but delegate to a public OP.  So I set up an
XRDS document under my domain (using an X-XRDS-Location header).

I've tried this with three different public OPs that have different behaviors:

  Verisign PIP - fixed identity
  Yahoo! - directed ID , can choose among a set of IDs (default is randomish)
  Google - directed ID, random per-RP identities

The XRDS document I'm serving from my domain contains these services:

        <!--  **** GOOGLE **** -->
        <Service priority="1">
            <Type>http://specs.openid.net/auth/2.0/signon</Type>
            <URI>https://www.google.com/accounts/o8/ud</URI>
            <LocalID>https://www.google.com/accounts/o8/id</LocalID>
        </Service>

        <!-- **** VERISIGN **** -->
        <Service priority="2">
            <Type>http://specs.openid.net/auth/2.0/signon</Type>
            <URI>https://pip.verisignlabs.com/server</URI>
            <LocalID>https://dmeranda.pip.verisignlabs.com/</LocalID>
        </Service>

        <!-- **** YAHOO! **** -->
        <Service priority="3">
            <Type>http://specs.openid.net/auth/2.0/signon</Type>
            <URI>https://open.login.yahooapis.com/openid/op/auth</URI>
            <LocalID>http://yahoo.com/</LocalID>
        </Service>

Now what I'm seeing varies depending on OP (I adjust the priority levels
to test each one)...

Verisign: Works.  My RP gets a success with:
   openid.claimed_id = 'http://deron.meranda.us/'
   openid.identity = 'https://dmeranda.pip.verisignlabs.com/'

Yahoo!: Almost works; Yahoo! let me pick which ID to use and returns
success with
   openid.claimed_id = 'http://deron.meranda.us/'
   openid.identity = 'https://me.yahoo.com/a/3Uz4wakJ.....etc.....'
but then the RP fails while validating the response
   "OpenID authentication failure: No matching endpoint found after
discovering http://deron.meranda.us/"

Google: Works, but I don't keep my claimed id
   openid.claimed_id =
'https://www.google.com/accounts/o8/id?id=AItOaw.....etc.....'
   openid.identity =
'https://www.google.com/accounts/o8/id?id=AItOaw.....etc.....'

So how do I get OPs like Yahoo! and Google to delegate in the same way
that Verisign does?
-- 
Deron Meranda

More information about the general mailing list