OpenID 3.0
James Henstridge
james at jamesh.id.au
Sun Feb 3 02:44:38 UTC 2008
On 02/02/2008, Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org> wrote:
> Yes, I also wonder why the IDP can't just return the ID. As of now I think it's
> two steps for this, with the RP explicit requesting it? Or am I wrong with that?
When used in directed identity mode, the OP can pick the identity:
http://openid.net/specs/openid-authentication-2_0.html#responding_to_authentication
Of course, the OP is restricted to returning identities that it is
authoritative for. This is what allows any yahoo user to enter
"yahoo.com" as their OpenID identifier while still letting RPs tell
them apart.
My point was that in cases where you do want to limit things to a
single OP, it is worth considering this mode, since it does not
require the user to enter any credentials (username or password) at
the RP site.
James.
More information about the specs
mailing list