[OpenID] Problems with delegation and directed identity OPs
Martin Atkins
mart at degeneration.co.uk
Mon Nov 10 08:21:16 UTC 2008
Deron Meranda wrote:
>
> It is only when openid.identity is NOT identifier_select and also
> not one of the logged-in user's identities that Yahoo will effectively
> "ignore" it (effectively treating it as if it were identifier_select).
> I believe this is of legal. The RP is then responsible for performing
> additional discovery on the returned identity before it trusts it though.
>
Indeed. It is this case that we're discussing. In Allen's example, he is
effecting presenting a non-Google identifier to Google. He could also
have been presenting a non-Yahoo! identifier to Yahoo! and achieved the
same result. However, this would not have worked on, for example,
LiveJournal.
>
>> Arguably in both cases here the OP should fail and say that it can't
>> make an assertion for the given identifier rather than sending back an
>> assertion for a completely unrelated identifier. (i.e. "answering the
>> wrong question".)
>
> I'm not sure that the OP *MUST* fail, although it certainly *MAY*.
> If the OP wants to send back a different identity then isn't it is allowed
> to? It is the responsibility of the RP to ultimately decide whether it
> likes the answer.
>
Again, indeed. The spec allows this if you consider the response to be
an "unsolicited positive assertion" aka "answering a question that
wasn't asked". The spec allows it, but it's arguable whether this is
useful behavior, and as we've seen it creates some confusion in the
delegation case and in the case in Allen's example which I don't yet
have a clever name for. (any suggestions? :) )
More information about the general
mailing list