[Openid-specs-ab] Ad-hoc conversation about i-names and OpenID Connect Migration 29-Aug-14

Michael Schwartz mike at gluu.org
Wed Sep 3 13:46:02 UTC 2014 

Nat,

If Markus is ok with the changes, then I'm ok with it. Does it align 
with XRI as currently conceived by Respect Networks?

- Mike



-------------------------------------
Michael Schwartz
CEO Gluu


> Message: 2
> Date: Wed, 3 Sep 2014 12:39:23 +0900
> From: Nat Sakimura <n-sakimura at nri.co.jp>
> To: Mike Jones <Michael.Jones at microsoft.com>, Markus Sabadello
> 	<markus.sabadello at gmail.com>
> Cc: "openid-specs-ab at lists.openid.net"
> 	<openid-specs-ab at lists.openid.net>
> Subject: Re: [Openid-specs-ab] Ad-hoc conversation about i-names and
> 	OpenID Connect Migration 29-Aug-14
> Message-ID: <20140903123923.24425e3f1a08a945e78af87a at nri.co.jp>
> Content-Type: text/plain; charset=US-ASCII
> 
> For what is worth,unlike I had hoped for, XRI would need a special 
> casing.
> 
> Also, whether xri.net would support this spec is unclear.
> 
> Best compromise that I can think of right now is to use the forwarding
> service of XRI.
> 
> Forwarding service is a service that XRI providers needs to implement.
> You can create a node under your XRI to point to another location.
> 
> For example, I can define
> 
> =nat/(+contact)
> 
> to forward it to a contact page of my choice.
> 
> Similarly, I could create
> 
> =nat/(+openid_iss)
> 
> and map it to any page.
> 
> For example, if my OpenID Connect issuer is https://example.com/
> then I can define =nat/(+openid_iss) to map to https://example.com/.
> 
> It works this way.
> 
> 1) The client sends request to https://xri.net/=nat/(+openid_iss).
> 2) The host xri.net responds with 302 redirect to for example,
>     http://forwarding.fullxri.com/forwading/=nat/(+openid_iss)
> 3) The client send request to it.
> 4) The host replies with 302 redirect to
>    https://example.com/
> 5) The client requests https://example.com/.
> 6) The page returns 200 OK so the redirection sequence terminates here.
> 7) Now the client has found that https://example.com/ is the
>    authoritative OpenID Connect issuer.
> 8) Match it to the value of "iss" in the ID Token.
> 
> This should work with any XRI provider without xri.net doing something.
> 
> Thoughts?
> 
> Nat
> 
> 
>

More information about the Openid-specs-ab mailing list