[OpenID] Combining Google & Yahoo user experience research

Johnny Bufu johnny.bufu at gmail.com
Tue Oct 21 08:59:00 UTC 2008


On 14/10/08 03:14 PM, Martin Atkins wrote:
> I think the "resolve an email address to an XRDS document" step is the 
> hard part.
[...]
>   * Do XRDS discovery at a URL formed by taking the email address domain 
> and adding "http://" to the start and "/" to the end. This requires that 
> whatever's declared in the XRDS file be able to map the username part 
> onto a URL 

Why is this part required at all, given the (mandatory support for) 
OP-Identifiers in v2?


RPs can, using no more than OpenID 2.0, perform OpenID discovery on 
http(s)://user at example.com/ and obtain an OP-Identifier, e.g. 
https://example.com/op/. (RPs really don't need a user-specific 
identifier at request time.)

It is then trivial for the OP to figure out the username / identifier 
*post* authentication.

In effect:
a) RPs don't need to care about email-to-URL translation
b) OPs can translate emails to URLs as each of them sees fit
c) email-to-URL translation doesn't even need to be specified or 
standardized (not for OpenID, anyhow)
d) users can have their browser fill in their OP credentials and 
complete authentication

> which has not yet been handled. It also requires all email 
> domains to have HTTP servers associated with them and hard-codes the 
> root path. 

Yes, but why is this a (big) issue? If they are email providers for the 
main domain, it should be fairly easy to configure discovery at the 
domain root. And HTTP/XRDS seem to be the overall preferred choices for 
discovery.

> It also does not allow for the use of HTTPS. 

There's no stopping users from entering https://user@example.com/; not 
very friendly, but not any less friendly than with any other HTTP(s) 
identifier either. (The OP-Endpoint and claimed identifier can be HTTPS, 
of course.)


Johnny



More information about the general mailing list