[OpenID] Combining Google & Yahoo user experience research
Johnny Bufu
johnny.bufu at gmail.com
Tue Oct 21 08:59:00 UTC 2008
On 14/10/08 03:14 PM, Martin Atkins wrote:
> I think the "resolve an email address to an XRDS document" step is the
> hard part.
[...]
> * Do XRDS discovery at a URL formed by taking the email address domain
> and adding "http://" to the start and "/" to the end. This requires that
> whatever's declared in the XRDS file be able to map the username part
> onto a URL
Why is this part required at all, given the (mandatory support for)
OP-Identifiers in v2?
RPs can, using no more than OpenID 2.0, perform OpenID discovery on
http(s)://user at example.com/ and obtain an OP-Identifier, e.g.
https://example.com/op/. (RPs really don't need a user-specific
identifier at request time.)
It is then trivial for the OP to figure out the username / identifier
*post* authentication.
In effect:
a) RPs don't need to care about email-to-URL translation
b) OPs can translate emails to URLs as each of them sees fit
c) email-to-URL translation doesn't even need to be specified or
standardized (not for OpenID, anyhow)
d) users can have their browser fill in their OP credentials and
complete authentication
> which has not yet been handled. It also requires all email
> domains to have HTTP servers associated with them and hard-codes the
> root path.
Yes, but why is this a (big) issue? If they are email providers for the
main domain, it should be fairly easy to configure discovery at the
domain root. And HTTP/XRDS seem to be the overall preferred choices for
discovery.
> It also does not allow for the use of HTTPS.
There's no stopping users from entering https://user@example.com/; not
very friendly, but not any less friendly than with any other HTTP(s)
identifier either. (The OP-Endpoint and claimed identifier can be HTTPS,
of course.)
Johnny
More information about the general
mailing list