This is great. Thanks everyone who answered!<br><br><div class="gmail_quote">On Sun, May 25, 2008 at 1:12 PM, Johnny Bufu <<a href="mailto:johnny.bufu@gmail.com">johnny.bufu@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d"><br>
On 05/25/2008 07:33 AM, Andrew Arnott wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
According to the OpenID 2.0 spec (as I read it), the RP discovery feature requires that the return_to URL be found in the XRDS doc published by the RP at the realm URL. However, some sites, such as blogs, allow logging in on virtually every page on the site (thousands). How should this be handled in the XRDS document since it can't be practical to include thousands of potential return_to URLs in the XRDS doc?<br>
</blockquote>
<br></div>
This is covered in the spec:<br>
<br>
<a href="http://9.2.1." target="_blank">9.2.1.</a> Using the Realm for Return URL Verification<br>
<br>
[...]<br>
<br>
To match a return_to URL against a relying party endpoint, use the same rules as for matching the return_to URL against the realm, treating the relying party's endpoint URL as the realm. Relying party endpoint URLs MUST NOT contain a domain wildcard, and SHOULD be as specific as possible.<br>
<br>
<a href="http://openid.net/specs/openid-authentication-2_0.html#realms" target="_blank">http://openid.net/specs/openid-authentication-2_0.html#realms</a><br><font color="#888888">
<br>
<br>
Johnny<br>
<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Andrew Arnott