[OpenID] Identity-less OpenID

Andrew Arnott andrewarnott at gmail.com
Thu May 7 04:22:33 UTC 2009 

The OpenID 2.0 spec allows for checkid_* messages to omit openid.identity
and openid.claimed_id in order to send a message whose useful is entirely in
the extensions it carries.  For a long time I thought "what's the point of
that??" but I finally found a use case.  So I'm adding built-in support for
it into DotNetOpenAuth both at the RP and OP sides.  Now that I've done it,
I'm checking various OPs to see if they support it.  Google: no,
myopenid.com: no, Yahoo.com: no, myvidoop.com: no.  I'm out of OPs that I'd
have guessed had any chance of supporting it. (Actually, I guess
myvidoop.com didn't have a chance since they only do a strange mixture of
OpenID 1.1 with some 2.0 features support).  My favorite part of this is
that every OP says there's something wrong with the request, instead of
"this feature isn't supported."

Does anyone know of an OP that actually supports this feature?  (or an RP
that uses it?)  I'm puzzled that such a feature was included in the spec
without anyone driving for its support.

In case you're interested in the scenario in which this is useful, here it
is:  Remember past threads where I've advocated against an organization
becoming an OP just so RPs can force users to log in with that OP to verify
some membership in the organization?    The alternative that I had proposed
was for that org to set up an OAuth SP. While that idea is still valid, it
might be the only reason for that org and an RP to add OAuth support, which
may not be trivial.  If, on the other hand, the RP sent an identity-less
OpenID request to the org's OP, with an "organization member check"
extension request, then the OP could issue a positive assertion that carries
no identity, but can assert that yes, the user is in fact a member of the
org.  Of course the OP would still have to authenticate the user somehow,
but the RP and OP would not have to agree on an Identifier to use for
referring to the person.

In fact there are many times perhaps when the RP doesn't care how the OP may
identify the user, but just wants to get certain claims about the user
because it trusts the OP.  Identity-less OpenID, which is in the 2.0 spec
but no site seems to support it, seems to be a good answer.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090506/ee2d8394/attachment.htm>

More information about the general mailing list