openid.delegate explained.

Dick Hardt dick at sxip.com
Wed Oct 4 21:32:51 UTC 2006


On 4-Oct-06, at 1:27 PM, Martin Atkins wrote:

> Dick Hardt wrote:
>>
>> The RP needs to resolve the identifier to check who is authorative
>> for it.
>>
>> If you create a mechanism for how to resolve who owns
>> "mailto:me at mydomain.com", then it works.
>>
>> That functionality is needed to prevent any IdP from being
>> authoritative for an arbitrary URI.
>>
>> -- Dick
>
> The public URI is still resolvable by the RP as is necessary.
>
> But the RP never uses the openid.delegate value; it simply passes  
> it on
> to the IdP where the IdP can then do what it likes with it. In
> LiveJournal's case, it's simply a regex to see if it matches
> http://([a-z0-9\-]+).livejournal.com/, which could easily be
> mailto:([a-z0-9\-]+)@livejournal.com, or anything else.

My mistake. I forgot that there is the openid.server parameter in the  
HTML at the public URI -- had thought that the server was discovered  
from the openid.delegate

So it does look like the openid.delegate can be any string the IdP  
wants the user to put in there to uniquely identify the user, and  
does not need to be resolvable

-- Dick






More information about the specs mailing list