[OpenID] Recommendation for future OpenID spec / test identifiers
Peter Watkins
peterw at tux.org
Wed Feb 11 15:38:00 UTC 2009
On Tue, Feb 10, 2009 at 04:03:52PM -0800, Andrew Arnott wrote:
> OpenID Providers should consider hosting the following OpenID Identifiers
> for which positive or negative assertions will always be immediately
> generated with no interaction with the user agent in order to provide RPs
> under test to programmatically check their compatibility with your Provider:
> http://provider/TestIdentifierAlwaysAssert (or
> http://TestIdentifierAlwaysAssert.provider/)
> http://provider/TestIdentifierAlwaysRefuse (or
> http://TestIdentifierAlwaysRefuse.provider/)
> http://provider/TestIdentifierAssertOnSetup (or
> http://TestIdentifierAssertOnSetup.provider/)
If I understand you correctly, that you expect those to be discoverable
URLs, I don't think that would work very well. Those suggestions make
assumptions about DNS and server configuration for the IdP/OP. None of
those fit our systems -- when/if we move from being just an RP that also
has "local" accounts to providing OP service for our local account holders,
we'll be using directed identity with identifiers that map back to our
OP application, like
https://apps.example.com/OurLogin/OpenID/id.aspx?id=TestIdentifierAlwaysAssert
I think a better model would be reserving certain keywords and treating
any identifier that *includes* that keyword anywhere in the URL (excluding
any # fragment!) would be treated as a test identifier, e.g.
Some possible "__oid2test__TestIdentifierAlwaysAssert" URLs/identifiers:
(http|https)://provider/__oid2test__TestIdentifierAlwaysAssert
(http|https)://provider/__oid2test__TestIdentifierAlwaysAssert/
(http|https)://provider/path/app.jsp?__oid2test__TestIdentifierAlwaysAssert
(http|https)://provider/path/app.aspx?u=__oid2test__TestIdentifierAlwaysAssert
(http|https)://__oid2test__TestIdentifierAlwaysAssert.provider/
Testing RPs should be able to send a claimed identifier that has a keyword
to the OP. The only expectation for the response should be that its identfier
(for cases like TestIdentifierAlwaysAssert that generate positive assertions)
would include the same keyword that was present in the RP request. If the
RP can figure out how to make a normal, non-directed discoverable URL with
a keyword that maps to an OP (https://me.yahoo.com/__oid2test__TestIdentifierAlwaysAssert ?), that'd be fine, too.
-Peter
More information about the general
mailing list