Hi George,<br><br>Just some terminology refinements for you:<br><br>The identifier entered by the user is called the "User-supplied identifier", which may be a URI or an XRI.<br>After discovery/resolving you get the "Claimed Identifier" which may be a URI or an i-number and an OP Local Identifier.<br>
The positive assertion still contains a Claimed Identifier and OP Local Identifier, but they may not be the same ones as the ones sent in the request, as you point out.<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Mon, Jun 22, 2009 at 8:44 AM, George Fletcher <span dir="ltr"><<a href="mailto:gffletch@aol.com">gffletch@aol.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Isn't one of the underlying issues the fact that there are really 3 identifiers in this scenario?<br>
1. the identifier entered by the user (claimed_id or i-name)<br>
2. the discovered/resolved identifier ("local_id" or "i-number")<br>
3. the identifier returned by the OP<br>
<br>
In the case of OpenID 2.0 protocol flow, the RP has to remember #1 and send #2 as the openid.identity parameter. If the OP does NOT return openid.identity == #2, then the OP has chosen to do directed identity regardless of the request and the RP must throw out #1 and take #3 as the user's identifier.<br>
<br>
This causes some weird user experience issues, but this is what we ran into when implementing OpenID 2.0 Relying Party support.<br>
<br>
Thanks,<br>
George<br>
<br>
Andrew Arnott wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">
In my opinion and/or experience...<br>
<br>
Whether you use XRDS or HTML tags has nothing to do with getting Yahoo working with delegation. Only the RP cares about how you set up the delegation. So if Yahoo is not honoring the delegated identifier then either Yahoo is broken, or the RP is not performing discovery correctly. If using XRDS fixes it, then the problem was at the RP rather than Yahoo!<br>
<br>
I just tested it, and Yahoo treats a delegated checkid_setup as a directed identity request regardless of what the openid.claimed_id value is. <br>
Google doesn't support delegation at all. Some concern about asserting an Identifier it has no control over..., and then there's the fact that you have no local_id to use except an arbitrarily picked anonymous identifier they assigned to you for a particular RP, which doesn't work when passed as a local_id.<br>
<br>
So yes, delegation is a great OpenID feature to be able to switch Providers without changing your identity. But you'll have to pick OPs other than Google and Yahoo.<br>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br>
<br></div><div class="im">
On Sun, Jun 21, 2009 at 4:54 PM, Peter Williams <<a href="mailto:pwilliams@rapattoni.com" target="_blank">pwilliams@rapattoni.com</a> <mailto:<a href="mailto:pwilliams@rapattoni.com" target="_blank">pwilliams@rapattoni.com</a>>> wrote:<br>
<br>
try using the X-XRDS-... trick, for use by YADIS. All the metadata<br>
is the in the XRD instead,as located by the X-XRDS-... header.<br>
<br>
We had it working last week with Yahoo (but not with Google), when<br>
we used XRD file.<br>
<br>
With Yahoo, it didn't seem to matter what you put in the Service's<br>
LocalID - which makes sense if you think about the semantics of<br>
LocalID. But, in the context of openid discovery, I THOUGHT (given<br>
the UCI security model) citation of localID in a vanity XRD was<br>
supposed to REQUIRE Yahoo (the OP) to use the directed id of the<br>
user's choice (assuming there are several)!<br>
<br>
if someone can, please point to a public, working trial of<br>
delegating to Google Accounts OP. Its an important milestone for<br>
openid - when vanity XRDs are properly handled by all the major<br>
OPs, including FaceBook, Google etc. We know openid is balancing<br>
commercial and personal interests then. A technology that (a)<br>
works in practice, and (b) somehow balances such contrary<br>
interests is, of course a world beater (like SSL!)<br>
<br>
________________________________________<br>
From: <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a><br></div>
<mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>> [<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a><br>
<mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>>] On Behalf Of Tom Edwards<br>
[<a href="mailto:t_edwards@btinternet.com" target="_blank">t_edwards@btinternet.com</a> <mailto:<a href="mailto:t_edwards@btinternet.com" target="_blank">t_edwards@btinternet.com</a>>]<div class="im"><br>
Sent: Sunday, June 21, 2009 3:21 PM<br></div>
To: <a href="mailto:general@openid.net" target="_blank">general@openid.net</a> <mailto:<a href="mailto:general@openid.net" target="_blank">general@openid.net</a>><div class="im"><br>
Subject: [OpenID] Delegation leading to new accounts on websites<br>
<br>
My personal OpenID server broke a while back, and I've decided this<br>
evening to start delegating in order continue using my personal URL<br>
(<<a href="http://steamreview.org" target="_blank">http://steamreview.org</a>>). This is the code now in my page header:<br>
> <link rel="openid.delegate openid2.local_id"<br>
> href="<a href="http://www.flickr.com/photos/varsity/" target="_blank">http://www.flickr.com/photos/varsity/</a>" /><br>
> <link rel="openid.server openid2.provider"<br>
> href="<a href="https://open.login.yahooapis.com/openid/op/auth" target="_blank">https://open.login.yahooapis.com/openid/op/auth</a>" /><br>
But when I login to the sites I used my openid on before it broke<br>
(I've<br>
tried Get Satisfaction and Userstyles.org so far), they don't<br>
recognise<br>
me as an pre-existing user. They think I'm<br>
<a href="http://www.flickr.com/photos/varsity/" target="_blank">www.flickr.com/photos/varsity/</a><br></div>
<<a href="http://www.flickr.com/photos/varsity/" target="_blank">http://www.flickr.com/photos/varsity/</a>>, whereas I actually still<br>
want to be<br>
<a href="http://steamreview.org" target="_blank">steamreview.org</a> <<a href="http://steamreview.org" target="_blank">http://steamreview.org</a>>.<div class="im"><br>
<br>
Is this intended behaviour? I thought the point of delegation was to<br>
allow people to switch providers without changing consumer-facing<br>
identity.<br>
<br>
_______________________________________________<br>
general mailing list<br></div>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a> <mailto:<a href="mailto:general@openid.net" target="_blank">general@openid.net</a>><div class="im"><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
_______________________________________________<br>
general mailing list<br></div>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a> <mailto:<a href="mailto:general@openid.net" target="_blank">general@openid.net</a>><div class="im"><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br>
</div></blockquote>
</blockquote></div><br>