[OpenID] Delegation leading to new accounts on websites
Andrew Arnott
andrewarnott at gmail.com
Mon Jun 22 00:29:25 UTC 2009
In my opinion and/or experience...
Whether you use XRDS or HTML tags has nothing to do with getting Yahoo
working with delegation. Only the RP cares about how you set up the
delegation. So if Yahoo is not honoring the delegated identifier then
either Yahoo is broken, or the RP is not performing discovery correctly. If
using XRDS fixes it, then the problem was at the RP rather than Yahoo!
I just tested it, and Yahoo treats a delegated checkid_setup as a directed
identity request regardless of what the openid.claimed_id value is.
Google doesn't support delegation at all. Some concern about asserting an
Identifier it has no control over..., and then there's the fact that you
have no local_id to use except an arbitrarily picked anonymous identifier
they assigned to you for a particular RP, which doesn't work when passed as
a local_id.
So yes, delegation is a great OpenID feature to be able to switch Providers
without changing your identity. But you'll have to pick OPs other than
Google and Yahoo.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
On Sun, Jun 21, 2009 at 4:54 PM, Peter Williams <pwilliams at rapattoni.com>wrote:
> try using the X-XRDS-... trick, for use by YADIS. All the metadata is the
> in the XRD instead,as located by the X-XRDS-... header.
>
> We had it working last week with Yahoo (but not with Google), when we used
> XRD file.
>
> With Yahoo, it didn't seem to matter what you put in the Service's LocalID
> - which makes sense if you think about the semantics of LocalID. But, in the
> context of openid discovery, I THOUGHT (given the UCI security model)
> citation of localID in a vanity XRD was supposed to REQUIRE Yahoo (the OP)
> to use the directed id of the user's choice (assuming there are several)!
>
> if someone can, please point to a public, working trial of delegating to
> Google Accounts OP. Its an important milestone for openid - when vanity XRDs
> are properly handled by all the major OPs, including FaceBook, Google etc.
> We know openid is balancing commercial and personal interests then. A
> technology that (a) works in practice, and (b) somehow balances such
> contrary interests is, of course a world beater (like SSL!)
>
> ________________________________________
> From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of
> Tom Edwards [t_edwards at btinternet.com]
> Sent: Sunday, June 21, 2009 3:21 PM
> To: general at openid.net
> Subject: [OpenID] Delegation leading to new accounts on websites
>
> My personal OpenID server broke a while back, and I've decided this
> evening to start delegating in order continue using my personal URL
> (<http://steamreview.org>). This is the code now in my page header:
> > <link rel="openid.delegate openid2.local_id"
> > href="http://www.flickr.com/photos/varsity/" />
> > <link rel="openid.server openid2.provider"
> > href="https://open.login.yahooapis.com/openid/op/auth" />
> But when I login to the sites I used my openid on before it broke (I've
> tried Get Satisfaction and Userstyles.org so far), they don't recognise
> me as an pre-existing user. They think I'm
> www.flickr.com/photos/varsity/, whereas I actually still want to be
> steamreview.org.
>
> Is this intended behaviour? I thought the point of delegation was to
> allow people to switch providers without changing consumer-facing identity.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090621/0bacae5b/attachment.htm>
More information about the general
mailing list