[OpenID] Problems with delegation and directed identity OPs

Peter Watkins peterw at tux.org
Thu Nov 6 17:51:20 UTC 2008 

On Thu, Nov 06, 2008 at 11:59:07AM -0500, Deron Meranda wrote:

>         <!-- **** VERISIGN **** -->
>         <Service priority="2">
>             <Type>http://specs.openid.net/auth/2.0/signon</Type>
>             <URI>https://pip.verisignlabs.com/server</URI>
>             <LocalID>https://dmeranda.pip.verisignlabs.com/</LocalID>
>         </Service>
> 
>         <!-- **** YAHOO! **** -->
>         <Service priority="3">
>             <Type>http://specs.openid.net/auth/2.0/signon</Type>
>             <URI>https://open.login.yahooapis.com/openid/op/auth</URI>
>             <LocalID>http://yahoo.com/</LocalID>
>         </Service>

> Verisign: Works.  My RP gets a success with:
>    openid.claimed_id = 'http://deron.meranda.us/'
>    openid.identity = 'https://dmeranda.pip.verisignlabs.com/'
> 
> Yahoo!: Almost works; Yahoo! let me pick which ID to use and returns
> success with
>    openid.claimed_id = 'http://deron.meranda.us/'
>    openid.identity = 'https://me.yahoo.com/a/3Uz4wakJ.....etc.....'
> but then the RP fails while validating the response
>    "OpenID authentication failure: No matching endpoint found after
> discovering http://deron.meranda.us/"

> So how do I get OPs like Yahoo! and Google to delegate in the same way
> that Verisign does?

With PIP, the OP is certifying an identity that matches your XRDS, which
seems really straightforward. With Yahoo!, have you tried setting the
LocalID to "https://me.yahoo.com/a/3Uz4wakJ.....etc....."?

I haven't read the spec in a while, but I would expect RP consumers to 
only accept identifiers that match what's in the XRDS. After all, you
don't want me to claim "http://deron.meranda.us/", have the RP send me 
to Yahoo for authentication, and then accept 
"https://me.yahoo.com/z/someOtherString" as being valid for you.

The per-RP business sounds a little tricky. You could dynamically generate
your XRDS and populate the LocalID differently for each RP, if you're 
able to infer the RP identity from the IP address of the system attempting
discovery. With Yahoo that'd be overkill. If you want to use Yahoo as
an OP vouching for your own domain, you'd pick one Yahoo OpenID identifier
and embed that in the XRDS -- and in that case, I believe the Yahoo OP
will use that identifier rather than ask you to choose (but you could still
use Yahoo to provide alternate URLs from time-to-time, even for the same
RPs you use your normal Yahoo deron.meranda.us ID for, if you asked an RP
to use https://me.yahoo.com instead of http://deron.meranda.us/). For Google, 
RP inference & dynamic XRDS generation might be necessary if Google refuses 
to return the same identity to different RPs. I haven't read their spec at 
all (I'm waiting til they open up the service such that I don't have to ask 
our general counsel to review any "agreement"), but can you not find the 
identity that Google uses for one RP, and use that instead of the 
/accounts/o8/id URL to get Google to use the same ID for different RPs?

-Peter

More information about the general mailing list