[OpenID] Too many providers... and here's one reason

[Eran Hammer-Lahav]

This is like applying affirmative action to cooking. "This cake calls for two spoons of sugar but we don't have enough people using lard in cakes, so I am going to use it instead..."

Looks like they want to use OpenID as an assertion verification protocol, allowing them to confirm that a given user is in fact a member of their organization. If all they want to do is assert the claim, they can use both OAuth and OpenID, each with a different set of extra features. If they use OpenID, a side-effect of this will turn them into an Identity Provider, but if this is not their intention, they should not use that identifier internally, but instead accept OpenID.

In other words, they should be an OP for assertion verification, and RP for site login.

EHL


On 9/15/08 4:45 PM, "Andrew Arnott" <andrewarnott at gmail.com> wrote:

I just spoke with an organization that wants to become a Provider so that other RP web sites can specifically tell if the logging in user is a member of this organization by whether their OpenID Identifier was asserted by that org's OP.

Ideally, I'd like this org to choose to be an RP instead of an OP because there are already too many OPs out there and not enough RPs, IMO.

How can an RP accept an OpenID Identifier from arbitrary OPs, but at each login determine whether the Identifier represents a user who belongs to a particular Organization?  Basically the Organization needs to send an assertion about the Identifier's membership, but only be willing to do so if that identifier is confirmed as having logged in successfully to that RP.  This would be easy to do if that Org was an OP, but I'm trying to reduce the # of reasons to be an OP.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080915/4e5ac57f/attachment-0002.htm>