[OpenID] Delegation leading to new accounts on websites
John Bradley
john.bradley at wingaa.com
Thu Jul 9 21:06:08 UTC 2009
Yes the terminology section of the spec infers that the OP-Local
Identifier is an alternate Identifier for the user at the OP.
Identifiers are ether XRI or http/https URL.
That rules out URN or other creative things the OP may try though that
may not have been the intent of the editors.
However the point stands that the OP-Local Identifier is an identifier
and not a locator. Discovery is not performed on it to determine if
the OP is authoritative for it in any global way.
RP's should never trust a openid.identity in openID 2.0 flows!
However they must verify that the openid.identity matches the localID
in the XRDS if delegation is used. Otherwise directed identity by
the OP will allow multiple openid.identity to log in as that delegated
claimed_id.
John B.
On 9-Jul-09, at 4:20 PM, Breno de Medeiros wrote:
> It does need to be an URI (at least for OpenID). See the spec
> definition of identifiers.
>
> On Tue, Jul 7, 2009 at 4:03 PM, Johnny Bufu <johnny.bufu at gmail.com>
> wrote:
> Doesn't even have to be a URI even; what matters is that the OP issues
> it, so they (can) have full control/authority over it if that's a
> concern for them.
>
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
More information about the general
mailing list