[OpenID] HTML-Based Discovery incompatibilities

Chris Messina chris.messina at gmail.com
Thu Jan 8 18:35:39 UTC 2009 

On Thu, Jan 8, 2009 at 9:39 AM, Andrew Arnott <andrewarnott at gmail.com>wrote:

> True.  You and I don't need <link> tags with the OpenID URI and can write
> XRDS docs.  But if you want the average user to be able to set up a vanity
> URL, they need those simpler tags.


+ ∞.

I will fight tooth and nail to keep basic <link>-based OpenID discovery in
the spec. I had a hard enough time delegating my own OpenID yesterday. You'd
think that I'm not your average user and could figure this out -- and if *I*
had a hard time with it, I can't imagine how normal folks who give a crap
about our beautiful fucking snowflake technologies will figure it out.

MySpace theming is the perfect counterpoint to your example Eran -- people
figured out how to skin their MySpace profile by dumping CSS into their
"About" profile. Browser, designed leniently, fortunately did what they're
supposed to do, and responded to user intent.

When I see people try to mark up their pages with microformats and get it
wrong (let alone basic HTML), it suggest that we need to make this stuff SO
SO SIMPLE. If we can say "edit your homepage and add these two lines", that
wins versus "edit your homepage, add this one line, fire up your text
editor, create this XML document... blah blah blah. FAIL."


My parents and sisters, who know almost nothing about HTML, still manage to
> keep blogs on Blogger.  They could, with help, add two LINK tags to their
> blog to managed their own OpenIDs, but they could not be expected to author
> an XRDS doc.  And even if they could, where would they host it?  Blogger
> doesn't allow hosting of arbitrary files like that.  Nor would the
> Content-Type HTTP response header likely be the correct one for said XRDS
> doc.
>

While I appreciate Eran's point that XRDS should be produced automatically
and OpenID should just "happen", that's not how we get web-wide adoption. We
get web-wide adoption with one or two lines of HTML added to an HTML
template. And nothing more.

We should certainly accommodate more advanced situations -- and develop the
full potential of XRD and XRDS, but it should not come at the expense of
OpenID delegation or adoption.

To echo Andrew's point, folks on shared/hosted services like WordPress.com
or Blogger often let you tweak your templates (to a certain degree).
Uploading arbitrary XML files is often prohibited, or worse, rewritten as
HTML files.

Furthermore, HTML-based delegation enables services (like DandyID:
http://twitter.com/DandyId/status/1100104072) to allow OpenID delegation
without the need to host an XRDS document for all of its users; it just
changes its HTML output.

So, I'm sympathetic to your desires, Eran, but I don't think forcing people
to upload/reference another file is a viable solution. It does mean that the
OpenID libraries need to be more complicated and more robust, but really,
the OpenID libraries should be doing the brunt of the work anyway. Our
emphasis should be on making this stuff excruciatingly easy to implement.
Consider that, for the most part, Facecbook Connect can be setup with a line
of JavaScript (same with Google Friend Connect). We need that level of
simplicity if we're going to stand a chance on the open web.

Chris


>
> On Thu, Jan 8, 2009 at 9:16 AM, Eran Hammer-Lahav <eran at hueniverse.com>wrote:
>
>>  It is. I am just saying we don't need so many options (like <link>
>> elements with the OpenID URI). Simply point everything to just an XRDS file.
>>
>>
>>
>> EHL
>>
>>
>>
>> *From:* Andrew Arnott [mailto:andrewarnott at gmail.com]
>> *Sent:* Thursday, January 08, 2009 9:04 AM
>> *To:* Eran Hammer-Lahav
>> *Cc:* Chris Messina; general at openid.net List
>> *Subject:* Re: [OpenID] HTML-Based Discovery incompatibilities
>>
>>
>>
>> Eran,
>>
>>
>>
>> Maybe I misunderstand you, but isn't adding a link to your XRDS file from
>> HTML in fact one aspect of HTML discovery?
>>
>>
>>
>> I mean, html discovery can result in an XRDS doc reference, finding
>> openid.server (et. al) tags, or nothing at all.
>> --
>> Andrew Arnott
>> "I [may] not agree with what you have to say, but I'll defend to the death
>> your right to say it." - Voltaire
>>
>>  On Thu, Jan 8, 2009 at 8:55 AM, Eran Hammer-Lahav <eran at hueniverse.com>
>> wrote:
>>
>> I would like to see HTML-Based discovery removed from the spec completely.
>> There is no reason to have it anymore since you can simply add a link to
>> your XRDS file from HTML and get it all done there in a consistent way.
>>
>>
>>
>> In my upcoming discovery spec I spell out that resource-consumers must
>> support multiple values in the rel attribute.
>>
>>
>>
>> EHL
>>
>>
>>
>> *From:* general-bounces at openid.net [mailto:general-bounces at openid.net] *On
>> Behalf Of *Chris Messina
>> *Sent:* Thursday, January 08, 2009 12:59 AM
>> *To:* general at openid.net List
>> *Subject:* [OpenID] HTML-Based Discovery incompatibilities
>>
>>
>>
>> I just read over SS 7.3.3 on HTML-Based Discovery [1], and considering my
>> experience today trying to re-delegate my OpenID, I've discovered that this
>> section needs to updated a clarified.
>>
>> It turns out that relying parties are not parsing HTML rel values in a
>> standard way. That is, if there is more than one rel value provided for a
>> link, some RPs fail, whereas others work fine.
>>
>> In other words, this:
>>
>>    <link rel="openid2.provider openid.server" href="
>> http://factoryjoe.com/blog/" />
>>    <link rel="openid2.local_id openid.delegate" href="
>> http://factoryjoe.com/blog/" />
>>
>> is not the same as this:
>>
>>    <link rel="openid2.provider" href="
>> http://factoryjoe.com/blog/?openid_server=1" />
>>    <link rel="openid2.local_id" href="
>> http://factoryjoe.com/blog/author/factoryjoe/" />
>>    <link rel="openid.server" href="
>> http://factoryjoe.com/blog/?openid_server=1" />
>>    <link rel="openid.delegate" href="
>> http://factoryjoe.com/blog/author/factoryjoe/" />
>>
>> It's my understanding that the rel attribute should be able to contain
>> several values.
>>
>>
>>
>> But I can tell you that IntenseDebate, for example, failed when delegation
>> was setup using the former code. It only worked when I broke out the two
>> links into four.
>>
>>
>>
>> I'm not sure if this is an issue with the libraries or what, but I'd like
>> to know if other people have experienced this problem, and if we can improve
>> the language in the spec to make sure that people understand that they need
>> to look for the presence of an element in a rel value -- not that the
>> *entire* value is one element.
>>
>>
>>
>> Chris
>>
>> [1] http://openid.net/specs/openid-authentication-2_0.html#html_disco
>>
>> --
>> Chris Messina
>> Citizen-Participant &
>>  Open Web Advocate-at-Large
>>
>> factoryjoe.com # diso-project.org
>> citizenagency.com # vidoop.com
>> This email is:   [ ] bloggable    [X] ask first   [ ] private
>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>
>>
>
>


-- 
Chris Messina
Citizen-Participant &
 Open Web Advocate-at-Large

factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is:   [ ] bloggable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090108/f0d53df0/attachment-0002.htm>

More information about the general mailing list