directed identity + HTML discovery: is this right?

Peter Watkins peterw at tux.org
Fri May 18 21:19:10 UTC 2007 

So I'd like my employer (for discussion purposes, The Great
Plumbers Association, http://plumbers.co) to act as an OpenID
OP. I want all our plumber members to use the same OP URL
for OpenID authentication, let's say https://id.plumbers.co/

So the RP doesn't try XRI Resolution, and Yadis fails because
we only support HTML Discovery. When the RP requests https://id.plumbers.co/
for HTML Discovery, per 7.3.3, we deliver a document with

<link rel="openid2.provider" href="https://id.plumbers.co/" /> 
<link rel="openid2.local_id" 
      href="http://specs.openid.net/auth/2.0/identifier_select" />

For normal authentication, the RP then has to send "https://id.plumbers.co/"
as the claimed_id and "http://specs.openid.net/auth/2.0/identifier_select"
as the identity param, per 9.1. 

This allows our OP (per 10) to choose a unique OP-Local Identifier for the
user. Is that right? We could return an identifier of 
"http://pin1234567890.id.plumbers.co" or 
"https://id.plumbers.co/4c1ab4630af439e0c9be33be9615d165", or whatever.

Would we put the OP-Local Identifier in both openid.claimed_id *and*
openid.identity?

I'm confused about section 10.1's discussion of openid.claimed_id: "Note: 
The end user MAY choose to use an OP-Local Identifier as a Claimed 
Identifier." This reads like a slight restatement of the earlier language
suggesting users' choosing their own OP-Local Identifier (section 10, "If 
the relying party requested OP-driven identifier selection... the OP SHOULD 
allow the end user to choose which Identifier to use."), but it's subtly
different and suggests two things to me:
 1) a user interface requirement on the OP side (the user cannot choose
    an identifier after the RP authentication request and before the 
    OP's authentication response unless the OP has some sort of user
    interface to allow the user to make such a choice, so this looks like
    it might be equivalent to something like  "the OP MUST allow the end 
    user to choose an OP-Local Identifier for use in the response"
 2) that the OP might return a Claimed ID of the user's choosing even if
    the RP did not send the identifier_select identity request param
Should this read "The OP MAY allow the end user to choose an OP-Local 
Identifier as a Claimed Identifier if there are multiple Identifiers for 
which the end user is authorized to issue authentication responses and the 
relying party requested OP-driven identifier selection by setting 
"openid.identity" to "http://specs.openid.net/auth/2.0/identifier_select""

Also, this "MAY" language suggests that openid.claimed_id in the response
can itself be an OP-Local Identifier and differ from the openid.claimed_id
value that the RP passed in the authentication request. Is that correct?

In an OpenID 2.0 transaction, if openid.claimed_id and openid.identity in
the response differ, which value is the RP to use as the user's URL?

Could the draft be updated to clarify the uses of these two response items?

Thanks,

Peter

More information about the specs mailing list