Consolidated Delegate Proposal
Josh Hoyt
josh at janrain.com
Tue Oct 10 17:48:22 UTC 2006
On 10/10/06, Martin Atkins <mart at degeneration.co.uk> wrote:
> Does the IdP really need to know what URL I gave to the RP?
>
> Earlier versions handled this adequately by the library including
> implementer-defined variables in the return_to URL, which allows a
> stateful RP to hide the real identifier behind a meaningless session
> token, which satisfies Brad's criteria that the RP should be able to
> hide from the IdP the fact that delegation is in use.
see [1] where I addressed this question. I think that the benefits of
having it there outweigh the benefit of hiding your identifier *from
your chosen IdP*. The benefits for having it available to the IdP are
the same as the benefits outlined in [2].
Josh
1. http://openid.net/pipermail/specs/2006-October/000170.html
2. http://openid.net/pipermail/specs/2006-September/000002.html
More information about the specs
mailing list