[OpenID] Problems with delegation and directed identity OPs

Breno de Medeiros breno at google.com
Thu Nov 6 18:01:57 UTC 2008 

Note: Google has removed the white-list requirement for over a week
now.  We assert per-RP URLs so your other comments are accurate.

On Thu, Nov 6, 2008 at 9:51 AM, Peter Watkins <peterw at tux.org> wrote:
> On Thu, Nov 06, 2008 at 11:59:07AM -0500, Deron Meranda wrote:
>
>>         <!-- **** VERISIGN **** -->
>>         <Service priority="2">
>>             <Type>http://specs.openid.net/auth/2.0/signon</Type>
>>             <URI>https://pip.verisignlabs.com/server</URI>
>>             <LocalID>https://dmeranda.pip.verisignlabs.com/</LocalID>
>>         </Service>
>>
>>         <!-- **** YAHOO! **** -->
>>         <Service priority="3">
>>             <Type>http://specs.openid.net/auth/2.0/signon</Type>
>>             <URI>https://open.login.yahooapis.com/openid/op/auth</URI>
>>             <LocalID>http://yahoo.com/</LocalID>
>>         </Service>
>
>> Verisign: Works.  My RP gets a success with:
>>    openid.claimed_id = 'http://deron.meranda.us/'
>>    openid.identity = 'https://dmeranda.pip.verisignlabs.com/'
>>
>> Yahoo!: Almost works; Yahoo! let me pick which ID to use and returns
>> success with
>>    openid.claimed_id = 'http://deron.meranda.us/'
>>    openid.identity = 'https://me.yahoo.com/a/3Uz4wakJ.....etc.....'
>> but then the RP fails while validating the response
>>    "OpenID authentication failure: No matching endpoint found after
>> discovering http://deron.meranda.us/"
>
>> So how do I get OPs like Yahoo! and Google to delegate in the same way
>> that Verisign does?
>
> With PIP, the OP is certifying an identity that matches your XRDS, which
> seems really straightforward. With Yahoo!, have you tried setting the
> LocalID to "https://me.yahoo.com/a/3Uz4wakJ.....etc....."?
>
> I haven't read the spec in a while, but I would expect RP consumers to
> only accept identifiers that match what's in the XRDS. After all, you
> don't want me to claim "http://deron.meranda.us/", have the RP send me
> to Yahoo for authentication, and then accept
> "https://me.yahoo.com/z/someOtherString" as being valid for you.
>
> The per-RP business sounds a little tricky. You could dynamically generate
> your XRDS and populate the LocalID differently for each RP, if you're
> able to infer the RP identity from the IP address of the system attempting
> discovery. With Yahoo that'd be overkill. If you want to use Yahoo as
> an OP vouching for your own domain, you'd pick one Yahoo OpenID identifier
> and embed that in the XRDS -- and in that case, I believe the Yahoo OP
> will use that identifier rather than ask you to choose (but you could still
> use Yahoo to provide alternate URLs from time-to-time, even for the same
> RPs you use your normal Yahoo deron.meranda.us ID for, if you asked an RP
> to use https://me.yahoo.com instead of http://deron.meranda.us/). For Google,
> RP inference & dynamic XRDS generation might be necessary if Google refuses
> to return the same identity to different RPs. I haven't read their spec at
> all (I'm waiting til they open up the service such that I don't have to ask
> our general counsel to review any "agreement"), but can you not find the
> identity that Google uses for one RP, and use that instead of the
> /accounts/o8/id URL to get Google to use the same ID for different RPs?
>
> -Peter
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

More information about the general mailing list