[security] Validating openid.identity in authenticationresponses
Bradescu, Roxana
rbradescu at verisign.com
Fri Nov 16 19:29:44 UTC 2007
Well yes and no I think. An RP has to know whether the OpenID entered in
the login box contains an identifier or not in order to discover the
correct OP so it is really an RP issue.
If a user just enters x.y.z.com how does the RP know whether x is the
identifier and y.z.com the OP address or if x.y.z.com is just the OP
address and the user will provide the identifier to the OP (as per the
use case David brought up).
Though you are right if the OP controls y.z.com they can do the
appropriate redirect to x.y.z.com regardless of how the RP interprets
the OpenID provided. Unfortunately not all OP's support this so as far
as users go they will have an inconsistent experience.
BTW not all OP's support providing one identifier to the RP but then
logging into OP with a different identifier (the user "changes their
mind" case Johnny brought up which makes a lot of sense imo especially
if say the user just had a typo they were not even aware of).
Maybe the next OpenID interop should really be about user experience...
Roxana Bradescu | VeriSign Innovation
-----Original Message-----
From: Dick Hardt [mailto:dick at sxip.com]
Sent: Friday, November 16, 2007 11:12 AM
To: Bradescu, Roxana
Cc: Johnny Bufu; security at openid.net; david at sixapart.com
Subject: Re: [security] Validating openid.identity in
authenticationresponses
Note that it primarily a limit of the OP, in which case the user does
the same thing all the time as they are using the same OP everywhere.
-- Dick
On 16-Nov-07, at 11:07 AM, Bradescu, Roxana wrote:
> It's unfortunate that users have to know which version of the protocol
> sites are running to know what they can type into the login box.
>
> Roxana Bradescu | VeriSign Innovation
>
>
> -----Original Message-----
> From: Johnny Bufu [mailto:johnny at sxip.com]
> Sent: Friday, November 16, 2007 10:07 AM
> To: Bradescu, Roxana
> Cc: david at sixapart.com; Trevor Johns; security at openid.net
> Subject: Re: [security] Validating openid.identity in
> authenticationresponses
>
>
> On 16-Nov-07, at 9:39 AM, Bradescu, Roxana wrote:
>> David, I've noticed the use case you describe doesn't actually work
>> at a
>> many RP's. For example if I go to livejournal.com and just put in
>> just
>> my IDP pip.verisignlabs.com I get an error.
>
> Directed identity is a 2.0 feature, while livejounal seems to be
> speaking only 1.x.
>
>
> Johnny
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
>
More information about the security
mailing list