[OpenID] Delegation leading to new accounts on websites

George Fletcher gffletch at aol.com
Mon Jun 22 15:44:03 UTC 2009 

Isn't one of the underlying issues the fact that there are really 3 
identifiers in this scenario?
1. the identifier entered by the user (claimed_id or i-name)
2. the discovered/resolved identifier ("local_id" or "i-number")
3. the identifier returned by the OP

In the case of OpenID 2.0 protocol flow, the RP has to remember #1 and 
send #2 as the openid.identity parameter. If the OP does NOT return 
openid.identity == #2, then the OP has chosen to do directed identity 
regardless of the request and the RP must throw out #1 and take #3 as 
the user's identifier.

This causes some weird user experience issues, but this is what we ran 
into when implementing OpenID 2.0 Relying Party support.

Thanks,
George

Andrew Arnott wrote:
> In my opinion and/or experience...
>
> Whether you use XRDS or HTML tags has nothing to do with getting Yahoo 
> working with delegation.  Only the RP cares about how you set up the 
> delegation.  So if Yahoo is not honoring the delegated identifier then 
> either Yahoo is broken, or the RP is not performing discovery 
> correctly.  If using XRDS fixes it, then the problem was at the RP 
> rather than Yahoo!
>
> I just tested it, and Yahoo treats a delegated checkid_setup as a 
> directed identity request regardless of what the openid.claimed_id 
> value is. 
>
> Google doesn't support delegation at all.  Some concern about 
> asserting an Identifier it has no control over..., and then there's 
> the fact that you have no local_id to use except an arbitrarily picked 
> anonymous identifier they assigned to you for a particular RP, which 
> doesn't work when passed as a local_id.
>
> So yes, delegation is a great OpenID feature to be able to switch 
> Providers without changing your identity.  But you'll have to pick OPs 
> other than Google and Yahoo.
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the 
> death your right to say it." - S. G. Tallentyre
>
>
> On Sun, Jun 21, 2009 at 4:54 PM, Peter Williams 
> <pwilliams at rapattoni.com <mailto:pwilliams at rapattoni.com>> wrote:
>
>     try using the X-XRDS-... trick, for use by YADIS. All the metadata
>     is the in the XRD instead,as located by the X-XRDS-... header.
>
>     We had it working last week with Yahoo (but not with Google), when
>     we used XRD file.
>
>     With Yahoo, it didn't seem to matter what you put in the Service's
>     LocalID - which makes sense if you think about the semantics of
>     LocalID. But, in the context of openid discovery, I THOUGHT (given
>     the UCI security model) citation of localID in a vanity XRD was
>     supposed to REQUIRE Yahoo (the OP) to use the directed id of the
>     user's choice (assuming there are several)!
>
>     if someone can, please point to a public, working trial of
>     delegating to Google Accounts OP. Its an important milestone for
>     openid - when vanity XRDs are properly handled by all the major
>     OPs, including FaceBook, Google etc. We know openid is balancing
>     commercial and personal interests then. A technology that (a)
>     works in practice, and (b) somehow balances such contrary
>     interests is, of course a world beater (like SSL!)
>
>     ________________________________________
>     From: general-bounces at openid.net
>     <mailto:general-bounces at openid.net> [general-bounces at openid.net
>     <mailto:general-bounces at openid.net>] On Behalf Of Tom Edwards
>     [t_edwards at btinternet.com <mailto:t_edwards at btinternet.com>]
>     Sent: Sunday, June 21, 2009 3:21 PM
>     To: general at openid.net <mailto:general at openid.net>
>     Subject: [OpenID] Delegation leading to new accounts on websites
>
>     My personal OpenID server broke a while back, and I've decided this
>     evening to start delegating in order continue using my personal URL
>     (<http://steamreview.org>). This is the code now in my page header:
>     > <link rel="openid.delegate openid2.local_id"
>     > href="http://www.flickr.com/photos/varsity/" />
>     > <link rel="openid.server openid2.provider"
>     > href="https://open.login.yahooapis.com/openid/op/auth" />
>     But when I login to the sites I used my openid on before it broke
>     (I've
>     tried Get Satisfaction and Userstyles.org so far), they don't
>     recognise
>     me as an pre-existing user. They think I'm
>     www.flickr.com/photos/varsity/
>     <http://www.flickr.com/photos/varsity/>, whereas I actually still
>     want to be
>     steamreview.org <http://steamreview.org>.
>
>     Is this intended behaviour? I thought the point of delegation was to
>     allow people to switch providers without changing consumer-facing
>     identity.
>
>     _______________________________________________
>     general mailing list
>     general at openid.net <mailto:general at openid.net>
>     http://openid.net/mailman/listinfo/general
>     _______________________________________________
>     general mailing list
>     general at openid.net <mailto:general at openid.net>
>     http://openid.net/mailman/listinfo/general
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>

More information about the general mailing list