<div dir="ltr">As James mentioned, Greg, the spec requires that you verify more than just the op_endpoint. In fact 4 fields are listed in the table of section 11.2 that should be equal. And James, I think these four fields <i>should</i> be enough to narrow the endpoints down to just one. And even if it didn't, it might as well be since all the significant data is the same.<br>
<br><div class="gmail_quote">On Tue, Jul 22, 2008 at 7:47 AM, James Tindall <<a href="mailto:james@atomless.com">james@atomless.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Thanks Greg,<br>
<br>
I think you're right - but it's possible that more than one endpoint in<br>
the xrds has the same op_endpoint as that supplied in the response - so<br>
it would be necessary to also compare other fields to select the best<br>
matching endpoint. This is making OpenID kind of a protracted process.<br>
<font color="#888888"><br>
=james.tindall<br>
</font><div><div></div><div class="Wj3C7c"><br>
Greg Byrd wrote:<br>
> (1) Section 11.2 says that RP must perform discovery "[i]f the Claimed<br>
> Identifier was not previously discovered." So I think you don't need<br>
> to do that second discovery step in your email. But you said<br>
> stateless mode, so maybe you don't remember that you discovered the ID<br>
> in the first place, so...<br>
><br>
> (2) The op_endpoint field is returned in id_res, so the verification<br>
> should just check whether any of the OPs returned from discovery match<br>
> the supplied op_endpoint.<br>
><br>
> ...Greg<br>
><br>
><br>
> James Tindall wrote:<br>
>> Suppose a relying party is operating under stateless mode. Suppose<br>
>> also that the discovery phase for the given claimed_id returned more<br>
>> than one endpoint. Then suppose that association attempts failed on<br>
>> at least one of the endpoints but then succeeded on one of the other<br>
>> endpoints further down the priority order. Then upon receiving the<br>
>> authentication (id_res) response from the chosen OP the RP must<br>
>> perform discovery on the claimed_id contained in the response in<br>
>> order to be able to verify the response data against discovered data.<br>
>> But then if, as is probable, the discovery phase again returns more<br>
>> than one endpoint, how is the RP to choose which one to verify the<br>
>> response data against?<br>
>><br>
>> =james.tindall<br>
>><br>
>><br>
>> _______________________________________________<br>
>> general mailing list<br>
>> <a href="mailto:general@openid.net">general@openid.net</a><br>
>> <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
><br>
><br>
><br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br></div>