[Openid-specs-ab] Claimed user identifiers
John Bradley
ve7jtb at ve7jtb.com
Mon Apr 11 21:43:01 UTC 2011
Looking at breno's doc.
The claimed user identifier or canonical id seems to be a string.
The string is a local identifier for the user in the scope of the IdP.
That is what Facebook Login and the Connect proposal have.
If that is what we are going forward with what is the identifier for the IdP that the RP uses to scope the ID.
We don't really want to use a endpoint URI, because that prevents that URI from being changed in the future.
If we use the domain name that may prevent people from running multiple IdP on the same host. (probably the better of the two options)
With facebook login the scope is all Facebook, so that wasn't a problem.
Do we need to establish a IdP identifier at registration time as a possible third option.
The other thing that was discussed was to return a URI as the identifier, however that would require some sort of pattern match on the host or a extra discovery step.
I suspect that using the host name from the user-info endpoint as the scope of the identifier may be the simplest. Though the RP needs to keep it as a two part identifier.
Thoughts.
John B.
More information about the Openid-specs-ab
mailing list