[OpenID] Google custom discovery

Fri Jul 10 17:35:34 UTC 2009

The feature in this area that we get more requests for is to support OpenID
validation for the relatively new Google Profiles service, i.e.
profiles.google.com, which is also a more memorable endpoint for users to
type :-).  That support is not yet available, but its definitely on the
list.
On Fri, Jul 10, 2009 at 10:16 AM, Peter Williams <pwilliams at rapattoni.com>wrote:

> Lets hope it prompts google to do much better: http://op. google.com:
> forming the eminently typable "op.google.com".
>
> They might even have that redirect to http://google.com/op which they
> might make an xri mount point to the I-brokered authority that serves the op
> xrd/s. If their op is a real xri-labelled authority, a ref field in the sep
> can even properly provide for delgated authorization of xrd files by user
> authorities (which openid auth hacks up as openid delegation, when abusing
> the semantics of the op local id field per jonny bufu's recent message).
>
> I dont think its hard to meet professional security engineering standards
> within openid: just be complete about xri semantics (even when using http
> identifiers). We dont need custom extensions for discovery, particularly if
> they project idp-centric vs user centric identity models.
>
> But lets wait and see how they are signing the xrd files (the way the
> openxri server does it (per the standard), or "otherwise"). The validity
> logic for verifying that signature will tell us what class of trust
> semantics they are working towards: google as ttp for attribute sharing, or
> uci.
>
> ________________________________
> From: Andrew Arnott <andrewarnott at gmail.com>
> Sent: Thursday, July 09, 2009 8:30 PM
> To: Peter Williams <pwilliams at rapattoni.com>
> Cc: Eric Sachs <esachs at google.com>; general at openid.net <general at openid.net>;
> Paul Johnston <paj at pajhome.org.uk>
> Subject: Re: [OpenID] What is my Google OpenID URL?
>
> Wow.  I'm going to have to use that tinyurl everywhere now. :-p
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>
>
> On Thu, Jul 9, 2009 at 8:24 PM, Peter Williams <pwilliams at rapattoni.com
> <mailto:pwilliams at rapattoni.com>> wrote:
> come  on google, it takes you 10s to have a redirector URL (op.google.com<
> http://op.google.com>, perhaps?) redirect to the
> https://www.google.com/accounts/o8/id. Conforming RPs are require to
> follow the redirect, before detecting that the XRD at that address is an
> law#4-capable OP, vs a user.
>
>
> http://tinyurl.com/googop now produces
> <?xml version="1.0" encoding="UTF-8" ?>
> -<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#> <xrds:XRDS
> xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
> -<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#> <XRD>
> -<file:///C:/Documents%20and%20Settings/peter/Desktop/id.xml#> <Service
> priority="0">
>  <Type>http://specs.openid.net/auth/2.0/server</Type>
>  <Type>http://openid.net/srv/ax/1.0</Type>
>  <Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type>
>  <Type>http://specs.openid.net/extensions/ui/1.0/icon</Type>
>  <Type>http://specs.openid.net/extensions/pape/1.0</Type>
>  <URI>https://www.google.com/accounts/o8/ud</URI>
>  </Service>
>  </XRD>
>
> im sure google can do better than tinyurl.com<http://tinyurl.com>!
>
> How about op.google.com<http://op.google.com>?!
>
> ________________________________
> From: general-bounces at openid.net<mailto:general-bounces at openid.net> [
> general-bounces at openid.net<mailto:general-bounces at openid.net>] On Behalf
> Of Andrew Arnott [andrewarnott at gmail.com<mailto:andrewarnott at gmail.com>]
> Sent: Thursday, July 09, 2009 7:16 PM
> To: Eric Sachs
> Cc: general at openid.net<mailto:general at openid.net>; Paul Johnston
> Subject: Re: [OpenID] What is my Google OpenID URL?
>
> Note that using your Blogger blog URL is not equivalent to using
> https://www.google.com/accounts/o8/id.  Besides the user interface of the
> login experience being completely different, Blogger's Provider is only an
> OpenID 1.1 provider, whereas Google's
> https://www.google.com/accounts/o8/id OpenID Provider is a more secure
> OpenID 2.0 provider.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>
>
> On Thu, Jul 9, 2009 at 6:38 PM, Eric Sachs <esachs at google.com<mailto:
> esachs at google.com><mailto:esachs at google.com<mailto:esachs at google.com>>>
> wrote:
> If you create a blog on Google's blogger service, then you can type the
> name of that blog into OpenID login boxes.
>
> If you are willing to be really geeky, type in
> https://www.google.com/accounts/o8/id.  That points to the generic Google
> identity provider, and you will be redirected back with an opaque
> identifier.  But we don't actually expect anyone to know to do that which is
> why a lot of OpenID relying parties are supporting other user interfaces
> with buttons for Google.  For example, see
> http://uservoice.com/session/new
>
> Similarly a lot of blogs allow you to comment and identify you with an
> OpenID URL, and while you can try one of the tricks above, many of the blog
> commenting interfaces also include buttons (or the NASCAR style UI as the
> community likes to call it) to help users navigate their way through.
>
> On Tue, Jul 7, 2009 at 11:34 PM, Paul Johnston <paj at pajhome.org.uk<mailto:
> paj at pajhome.org.uk><mailto:paj at pajhome.org.uk<mailto:paj at pajhome.org.uk>>>
> wrote:
> Hi,
>
> I'm sorry for asking such an obvious question, but after considerable
> time spent searching for this I am unable to figure this out.
>
> My google account name is paul.paj. I would like to login to
> bitbucket.org<http://bitbucket.org><http://bitbucket.org> using OpenID.
> How do I do it?
>
> Paul
> _______________________________________________
> general mailing list
> general at openid.net<mailto:general at openid.net><mailto:general at openid.net
> <mailto:general at openid.net>>
> http://openid.net/mailman/listinfo/general
>
>
> _______________________________________________
> general mailing list
> general at openid.net<mailto:general at openid.net><mailto:general at openid.net
> <mailto:general at openid.net>>
> http://openid.net/mailman/listinfo/general
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090710/e4b80f7c/attachment.htm>