Consolidated Delegate Proposal
Dick Hardt
dick at sxip.com
Tue Oct 10 18:14:58 UTC 2006
On 10-Oct-06, at 10:23 AM, Josh Hoyt wrote:
> On 10/10/06, Dick Hardt <dick at sxip.com> wrote:
>> I am really unclear on why do we need both openid.identity and
>> openid.rpuserid?
>
> RP user id is the identifier by which the relying party knows the
> user.
This is the one that the user gave the RP?
> "openid.identity" is the IdP user id.
Where did this come from?
> The IdP user id is the
> "delegate" if one is present, or the same as the RP user id if it is
> not. This is consistent with its current usage.
I don't think the delegate needs to be moved. Please see
http://openid.net/pipermail/specs/2006-October/000310.html
> Having this field allows IdP-driven identifier selection to return an
> assertion that works with a delegated identifier, since the IdP can
> specify the RP user id that the user wants.
>
> It also allows the IdP to e.g. make persona selections based on the
> way that the user identified himself to the RP.
I think I am accomplishing all of that in my proposal, and I think it
is much simpler and easier to understand. But I might be missing some
capability.
-- Dick
More information about the specs
mailing list