Responding to a 2.0 request with a 1.1 response
Martin Atkins
mart at degeneration.co.uk
Sun Jul 20 19:18:10 UTC 2008
(sorry for responding to myself.)
Martin Atkins wrote:
>
> Another similar and perhaps more likely case is when a user does
> 2.0-style delegation to a clavid.com identifier, omitting the 1.1-style
> delegation. Net::OpenID::Consumer with 1.1 compatibility enabled fails
> in this case because the 1.1 "version" of the OP does not appear in the
> list of discovered providers.
>
In fact, having read my logs in a little more detail, I see that this
mid-flow switch actually breaks delegation altogether in Net::OpenID,
because in the 1.1 case we put the user's identifier in an
"oic.identity" argument inside the return URL, but in the 2.0 case we
use the standard openid.claimed_id argument instead.
For clavid.com, we send out the 2.0 request with openid.claimed_id, but
when they send back their 1.1 response openid.claimed_id is not
available and their server doesn't know (and shouldn't know) about our
non-standard oic.identity argument.
Having noticed this I'm pretty convinced that switching versions
mid-exchange is harmful and should be explicitly forbidden by the
specification; I don't think there's really any way that a mid-exchange
switch could be specified that didn't suffer from this flaw.
More information about the specs
mailing list