Responding to a 2.0 request with a 1.1 response
Martin Atkins
mart at degeneration.co.uk
Sun Jul 20 19:07:46 UTC 2008
A few weeks back I got a report that the in-progress 2.0 branch of the
perl libraries (Net::OpenID) wouldn't authenticate against the provider
clavid.com, because while they accept 2.0 requests they respond with
1.1-format assertion messages.
Net::OpenID did have a bug in that it wasn't allowing assertions from
any provider other than the "primary" one found during discovery. This
is now fixed.
However, there seems to be some ugly cases when OPs switch versions
mid-transaction. Firstly, a 2.0 RP without 1.1 compatibility support
(which is not a MUST in the spec) would result in a really ugly user
experience:
* User enters identifier
* RP discovers 2.0 endpoint
* RP redirects user to endpoint with a 2.0 request message
* endpoint redirects user back with a 1.1 assertion message
* RP fails, because it doesn't support 1.1.
Another similar and perhaps more likely case is when a user does
2.0-style delegation to a clavid.com identifier, omitting the 1.1-style
delegation. Net::OpenID::Consumer with 1.1 compatibility enabled fails
in this case because the 1.1 "version" of the OP does not appear in the
list of discovered providers.
I think responding to a 2.0 request with a 1.1 response is bad manners,
but I can't find any language in the spec that forbids it so I'm left
wondering what the correct behavior is for an RP in cases such as those
above.
Cheers,
Martin
More information about the specs
mailing list