[OpenID] is it true?
John Bradley
john.bradley at wingaa.com
Wed Aug 26 13:13:33 UTC 2009
Yes,
The OP receives the cannonicalID from the XRDS as the
openid.claimed_id and the LocalID as the openid.identity. The user
input is not passed.
This also happens with URL identifiers and delegation if there are
http redirects involved.
I have argued in the past that the two fields we have in openID 2.0
are problematic for identifiers other than URL and even for them not
always sufficient.
Don't quite know where you are going with this, but it is a known
issue.
John B.
On 26-Aug-09, at 12:43 AM, openid-general-request at lists.openid.net
wrote:
> Date: Tue, 25 Aug 2009 21:10:00 -0700
> From: Peter Williams <pwilliams at rapattoni.com>
> Subject: [OpenID] is it true?
> To: "openid-general at lists.openid.net"
> <openid-general at lists.openid.net>
> Message-ID:
> <BFBC0F17A99938458360C863B716FE463DCDF238FD at simmbox01.rapnt.com>
> Content-Type: text/plain; charset="us-ascii"
>
> User types "@blog*lockbox" at RP
>
> Discovery determines that XRD.canonicalid is !1234, and the XRD.SEP
> has local-id=homepw.myopenid.com
>
> This form of SEP implies that the user desires openid2-style openid-
> delegation
>
> On receiving a request in which cid=!1234 and
> identifier=homepw.myopenid.com, the OP ONLY responds IF it does a
> discovery on !1234, validates that cid-verification=true (and sees
> that there exists SEP.local-id == request.openid.identity).
>
> Is it true that the OP does NOT know that the user typed
> @blog*lockbox at the RP?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090826/dbe2e954/attachment.htm>
More information about the general
mailing list