[OpenID] Recommendation for future OpenID spec / test identifiers

Andrew Arnott andrewarnott at gmail.com
Fri Feb 13 04:03:55 UTC 2009 

I like your adjustment, Peter.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Wed, Feb 11, 2009 at 7:38 AM, Peter Watkins <peterw at tux.org> wrote:

> On Tue, Feb 10, 2009 at 04:03:52PM -0800, Andrew Arnott wrote:
>
> > OpenID Providers should consider hosting the following OpenID Identifiers
> > for which positive or negative assertions will always be immediately
> > generated with no interaction with the user agent in order to provide RPs
> > under test to programmatically check their compatibility with your
> Provider:
> > http://provider/TestIdentifierAlwaysAssert  (or
> > http://TestIdentifierAlwaysAssert.provider/)
> > http://provider/TestIdentifierAlwaysRefuse (or
> > http://TestIdentifierAlwaysRefuse.provider/)
> > http://provider/TestIdentifierAssertOnSetup (or
> > http://TestIdentifierAssertOnSetup.provider/)
>
> If I understand you correctly, that you expect those to be discoverable
> URLs, I don't think that would work very well. Those suggestions make
> assumptions about DNS and server configuration for the IdP/OP. None of
> those fit our systems -- when/if we move from being just an RP that also
> has "local" accounts to providing OP service for our local account holders,
> we'll be using directed identity with identifiers that map back to our
> OP application, like
>
>
> https://apps.example.com/OurLogin/OpenID/id.aspx?id=TestIdentifierAlwaysAssert
>
> I think a better model would be reserving certain keywords and treating
> any identifier that *includes* that keyword anywhere in the URL (excluding
> any # fragment!) would be treated as a test identifier, e.g.
>
> Some possible "__oid2test__TestIdentifierAlwaysAssert" URLs/identifiers:
>
> (http|https)://provider/__oid2test__TestIdentifierAlwaysAssert
> (http|https)://provider/__oid2test__TestIdentifierAlwaysAssert/
> (http|https)://provider/path/app.jsp?__oid2test__TestIdentifierAlwaysAssert
>
> (http|https)://provider/path/app.aspx?u=__oid2test__TestIdentifierAlwaysAssert
> (http|https)://__oid2test__TestIdentifierAlwaysAssert.provider/
>
> Testing RPs should be able to send a claimed identifier that has a keyword
> to the OP. The only expectation for the response should be that its
> identfier
> (for cases like TestIdentifierAlwaysAssert that generate positive
> assertions)
> would include the same keyword that was present in the RP request. If the
> RP can figure out how to make a normal, non-directed discoverable URL with
> a keyword that maps to an OP (
> https://me.yahoo.com/__oid2test__TestIdentifierAlwaysAssert ?), that'd be
> fine, too.
>
> -Peter
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090212/25aa3f63/attachment-0001.htm>

More information about the general mailing list