[OpenID] Problems with delegation and directed identity OPs
Dirk Balfanz
balfanz at google.com
Mon Nov 10 06:34:36 UTC 2008
On Fri, Nov 7, 2008 at 11:57 PM, Martin Atkins <mart at degeneration.co.uk>wrote:
> Allen Tom wrote:
> > How does someone delegate their OpenID URL to Google?
> >
> > Putting following into the <head> section of the OpenID page:
> >
> > <link rel="openid2.provider" href="https://www.google.com/accounts/o8/ud"
> />
> >
> > seems to allow *any* user with a Google account to sign in with the
> > delegated OpenID.
> >
>
> I'm not sure I'm completely understanding the situation you're
> describing, but unless the openid.identity in the returned assertion
> matches the value of openid2.local_id discovered from openid.claimed_id,
> the RP should fail because the delegation is invalid.
>
> If you just put in the openid2.provider value and no openid2.local_id,
> then you're effectively giving Google's OP carte blanche to make
> assertions about that identifier, though I'm not sure why they would
> make assertions about URLs outside of their own domain.
>
The way I read the spec, omitting local_id in the <head> section means that
the RP's library must set it to be equal to the claimed id in their request
( Section 9.1: "If a different OP-Local Identifier is not specified, the
claimed identifier MUST be used as the value for openid.identity.") Of
course, your claimed id is whatever URL you're delegating from, which is not
a valid op-local id at Google.
Dirk.
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081109/e182613d/attachment-0002.htm>
More information about the general
mailing list