Consolidated Delegate Proposal
Martin Atkins
mart at degeneration.co.uk
Tue Oct 10 17:18:33 UTC 2006
Recordon, David wrote:
> Dick,
> It is needed in the case where there is delegation with a URL,
> openid.identity is the actual URL on the IdP and then openid.rpuserid is
> the URL that the user entered which delegates to openid.identity. This
> is then also used in the similar case with XRI delegation.
>
Does the IdP really need to know what URL I gave to the RP?
Earlier versions handled this adequately by the library including
implementer-defined variables in the return_to URL, which allows a
stateful RP to hide the real identifier behind a meaningless session
token, which satisfies Brad's criteria that the RP should be able to
hide from the IdP the fact that delegation is in use.
More information about the specs
mailing list