Thanks, Peter. Responses inline.<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Sun, Nov 1, 2009 at 7:18 AM, Peter Williams <span dir="ltr"><<a href="mailto:home_pw@msn.com">home_pw@msn.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">The mechanisms for parallel account linking are all there (as
advertised). They work in practice with infocard (I only tested the personal card
variety.)</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">I used a personal infocard to signin. One “token” is
displayed on profile page. Presumably, this is the representation of the old
SAML1 token communicated to the RP in original infocard signaling design.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">On the profile page, bound a second infocard to the RP account
using the infocard button on the PROFILE page. Second “token” is
added to list of tokens. This showcases the desired parallel account linking.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Since there is an infocard button (which invokes the card
selector assigned to the per-USER profile page), I was wondering why there
would NOT be a openid selector button. You see now how I got to asking: why not
a similar openid selector?</span></p></div></div></div></blockquote><div>Putting an InfoCard selector button next to an OpenID selector button would <i>not</i> be consistent with the UI the user saw during login, where the InfoCard selector was side-by-side with the several other buttons that make up the "openid+infocard" selector that they saw during login.</div>
<div><br></div><div>Perhaps just a simple "bind another login token" button that brings up the original selector is best, since it will resemble what the user logged in with most closely.</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div lang="EN-US" link="blue" vlink="purple"><div><div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Anyways, there is no such selector. But, in compensation, I entered
<a href="http://yahoo.com" target="_blank">yahoo.com</a> in the openid text box playing its role, which seems to test
for metadata availability before presenting a login button. This seems to be
some kind of composite, server-side user control. Presumably, in the era of
host-meta, this control’s initializer would do the google-dance to ensure
an app-domain has cloud endpoints that the RP trusts to speak for that domain. Errors
in handling that trust or having user compensate for such issues would be handled
within in this control’s UI.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">So I then used the login button on the openid user control,
which induced yahoo to present content in a signin frame (where the yahoo site
appeared to detect interoperability issues on the url passing over control [see
below], and which appeared to present a yahoo-originated error report). A trial
with myopenid produced similar interoperability failure results (it hangs on
the myopenid site, apparently).</span></p></div></div></div></blockquote><div><br></div><div>Thanks for pointing out the missing RP discovery endpoing that Yahoo reported. I forgot about that page. I haven't had any problem with the myopenid hang you described. Does it happen repeatedly for you? And what "hangs" exactly?</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div lang="EN-US" link="blue" vlink="purple"><div><div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">The logout button seems tied to the attempted interworking with
yahoo. This seems to imply you may have a mental model that the “last”
openid/card bound to the account (even from a profile management page) will be
the one that binds to the logout button of the entire site. This begs the question
Nate is famous for posing: is the users mental model of logout on any given IDP
site consistent with actual state.</span></p></div></div></div></blockquote><div>The logout button doesn't "bind" to any openid/card at all. It just clears the user's auth ticket cookie with that RP. </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div lang="EN-US" link="blue" vlink="purple"><div><div><p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"><a href="https://open.login.yahooapis.com/openid/op/auth?openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=IKXoaIrmjUUWMyiC1hzVBt8gQCcGvaDi8.7GXaLI9azVaqB3HAIj19Rudo_o867PIEpkR3QQpYZyTp1pLJ1ksLUHETO724R57Rrx5i47FBkqbqKBpUVu9wEGSqEq2FDVL3w0Kg--&openid.return_to=http%3A%2F%2Fopenidux.dotnetopenauth.net%2FMembers%2FAccountInfo.aspx%3Fdnoa.uipopup%3D1%26dnoa.popupUISupported%3D1%26dnoa.UsePersistentCookie%3DSession%26dnoa.receiver%3Dctl00_Body_openIdBox%26index%3D0%26dnoa.userSuppliedIdentifier%3Dyahoo.com%26dnoa.op_endpoint%3Dhttps%253A%252F%252Fopen.login.yahooapis.com%252Fopenid%252Fop%252Fauth%26dnoa.claimed_id%3D&openid.realm=http%3A%2F%2Fopenidux.dotnetopenauth.net%2F&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.alias3=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.alias3.lang=en-US&openid.alias3.mode=popup" target="_blank">https://open.login.yahooapis.com/openid/op/auth?openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=IKXoaIrmjUUWMyiC1hzVBt8gQCcGvaDi8.7GXaLI9azVaqB3HAIj19Rudo_o867PIEpkR3QQpYZyTp1pLJ1ksLUHETO724R57Rrx5i47FBkqbqKBpUVu9wEGSqEq2FDVL3w0Kg--&openid.return_to=http%3A%2F%2Fopenidux.dotnetopenauth.net%2FMembers%2FAccountInfo.aspx%3Fdnoa.uipopup%3D1%26dnoa.popupUISupported%3D1%26dnoa.UsePersistentCookie%3DSession%26dnoa.receiver%3Dctl00_Body_openIdBox%26index%3D0%26dnoa.userSuppliedIdentifier%3Dyahoo.com%26dnoa.op_endpoint%3Dhttps%253A%252F%252Fopen.login.yahooapis.com%252Fopenid%252Fop%252Fauth%26dnoa.claimed_id%3D&openid.realm=http%3A%2F%2Fopenidux.dotnetopenauth.net%2F&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.alias3=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.alias3.lang=en-US&openid.alias3.mode=popup</a></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
</div>
</div>
</div>
</blockquote></div><br>