Well, it's not that the original request URI sent to the OP doesn't matter at all -- it's just not entirely reliable. The OP can use it either as a mandatory "the user must fulfill X or fail" or it can just take it as a suggestion. If a user at an OP controls X, Y, and Z, then an incoming request from an RP might ask for Y, and the OP can use that as a hint to send an assertion for Y.<div>
<br></div><div>Another useful application of an OP just using it as a suggestion is what <a href="http://live-int.com">live-int.com</a> (MSFT's Live ID OpenID test OP) does to normalize identifiers. Since identifiers are case sensitive (do you hear <a href="http://blog.nerdbank.net/2008/07/case-for-case-sensitive-openid-url.html">that</a>, RPs?!), if the user types in a user-supplied identifier to an RP that needs to be normalized to proper case, http->https, etc., the OP can choose to send an assertion for the normalized identifier instead of (or in addition to) using redirects to normalize. If I try to log in as <a href="http://live-int.com/AARNOTT">live-int.com/AARNOTT</a>, for example, rather than redirect to <a href="http://live-int.com/aarnott">live-int.com/aarnott</a>, which might give away that it is a valid account to a scraper, <a href="http://live-int.com">live-int.com</a> doesn't use redirects. It just waits for an RP to request auth for <a href="http://live-int.com/AARNOTT">live-int.com/AARNOTT</a>, and then the OP authenticates me, and sends an assertion for <a href="http://live-int.com/aarnott">live-int.com/aarnott</a> instead. That way the RP sees me as the same person with each return visit, whether I type in aarnott, AARNOTT, Aarnott, or just <a href="http://live-int.com">live-int.com</a>.</div>
<div><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Mon, Jan 12, 2009 at 10:24 PM, Lachlan Hardy <span dir="ltr"><<a href="mailto:lachlan.hardy@gmail.com">lachlan.hardy@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br><div class="gmail_quote"><div class="Ih2E3d"><blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex"><div>
For instance, a user might try to log in as X. The OP might decide "you're not X, but you can log in as Y if you want". The user can say "sure", and then the OP sends an assertion for Y. That's legal (per my reading of the spec), and the RP would be wrong to assume that since it asked for X and got Y that that was "good enough".</div>
</blockquote></div><div><br>Which is precisely Ben's point. That's what Yahoo! does. <br><br>I give Ben's RP 'my' URL as <a href="http://flickr.com/photos/billgates" target="_blank">http://flickr.com/photos/billgates</a> and it sends me off to Yahoo!<br>
Yahoo! say, well, you're not Bill Gates but you can log in as Lachlan Hardy, so I do.<br>Then Yahoo! sends off a successful response to Ben with one of the OpenID URLs I have with them.<br><br>That's what happens right, Ben?<br>
<br>I'm guessing this really is according to spec, but I'm struggling with the sense of it. What it really means is that the URL provided by the RP to the OP is irrelevant. It might as well not exist. (Is that how those 'login with Yahoo! buttons work?)<br>
<br>It kind of solves all those issues folks have with "but my users won't remember their identity URL", but seems to cut out what I consider a major part of the functionality of OpenID. <br><br>When I validate a user's identity URL, I *often* want to know that it *is* their specific URL.<br>
<br>What's the reasoning for this and is there a workaround?<br><br>Lachlan Hardy<br><br><br></div></div>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br></div>