[OpenID] HTML discovery for OP Identifier

Manger, James H James.H.Manger at team.telstra.com
Wed Nov 14 02:38:26 UTC 2007 

HTML discovery should support OP Identifiers. It is easy. If an OP-Local Identifier with the special value "http://specs.openid.net/auth/2.0/identifier_select" is discovered, then the Claimed Identifier is actually an OP Identifier.

The spec is also confusing since “Claimed Identifier” and “openid.claimed_id” are not always the same. The spec says you always get a “Claimed Identifier” from the normalization phase [§7.2 point 4], but contradicts that two sections later [§7.3.1] saying sometimes there is no “Claimed Identifier” if it turns out to be an “OP Identifier”, but the openid.claimed_id field is still sent just with a another (predefined) value.

Q. Is there a good reason for sending "http://specs.openid.net/auth/2.0/identifier_select" in two fields, instead of sending the OP Identifier in openid.claimed_id?
That is, why not always send the normalized User-Supplied identifier in openid.claimed_id, regardless of the OP-Local Identifier?

I suggest replacing §7.3.1. Discovered Information with the following:

The Relying Party starts the discovery process with a Claimed Identifier and, upon successful completion, will have one or more sets of the following information (see the Terminology section for definitions). If more than one set of the following information has been discovered, the precedence rules defined in [XRI_Resolution_2.0] are to be applied.

    * OP Endpoint URL
    * Protocol Version
    * Claimed Identifier
    * (optional) OP-Local Identifier

The Claimed Identifier may have changed during discovery if it was an XRI [see §7.3.2.3].

The Claimed Identifier will change during authentication if the OP-Local Identifier is present and has the special value "http://specs.openid.net/auth/2.0/identifier_select". In this case the Claimed Identifier in the authentication request is actually an OP Identifier. A different Claimed Identifier will be returned in the authentication response. Discovery will have to be performed again on the new Claimed Identifier once it is received [see §11.2].

More information about the specs mailing list