>From the OpenID perspective we have to see webfinger as a part of "normalizing the user supplied identifier". So the OpenID normalization process would go something like this given a user supplied identifier. (I will ignore XRI for simplicity)<div>
1) Check to see if the identifier starts with http or https. If yes proceed as per protocol.</div><div>2) If not check to see if the identifier has an "@" sign within the identifier. If yes use webfinger to get the normalized identifier and proceed.</div>
<div>3) If not add http to the identifier and proceed.</div><div><br></div><div>So really what webfinger returns is the normalized identifier, it is NOT yet a "claimed id" nor is it a "Local id".</div>
<div><br></div><div>So I am suggesting one of these two rels.</div><div>"openid.normalizedID".</div><div>"<a href="http://specs.openid.net/auth/2.0/normalizedID">http://specs.openid.net/auth/2.0/normalizedID</a>".<br>
<br><div class="gmail_quote">On Thu, Mar 25, 2010 at 11:02 AM, Paul E. Jones <span dir="ltr"><<a href="mailto:paulej@packetizer.com">paulej@packetizer.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Jared,<br>
<div class="im"><br>
> It seems weird to return the user's OpenID identifier, when ultimately<br>
> the OP Endpoint URL is what you need if you want to authenticate the<br>
> user. However, I think "<a href="http://specs.openid.net/auth/2.0/server" target="_blank">http://specs.openid.net/auth/2.0/server</a>"<br>
> should have been used for the rel type, as it is actually defined by<br>
> OpenID Authentication 2.0 spec for that purpose.<br>
<br>
</div>I don't think it's weird at all to use webfinger to return one's OpenID<br>
identifier. After all, Webfinger is intended to be a means of discovering<br>
information about a person. Once the identifier is learned, then the OP can<br>
be discovered based on that ID. Returning the OP URL without the user's<br>
identifier is not as useful, since the OP would not know who is being<br>
authenticated: it would then have to prompt the user for his identity.<br>
<div class="im"><br>
> What is really needed is an agreed upon URI for what was the "http://<br>
> <a href="http://specs.openid.net/auth/2.0/signon" target="_blank">specs.openid.net/auth/2.0/signon</a>" type (which carried the user's<br>
> OpenID URL in XRDS' LocalID element (which is gone from XRD)).<br>
<br>
</div>If the rel value is "<a href="http://openid.net/identity" target="_blank">http://openid.net/identity</a>" and the href value<br>
represents the user's OpenID identifier, then the RP knows what to do with<br>
that. I really think that's what we should try to agree upon.<br>
<br>
This would minimize the additional effort an RP would have to make, just<br>
adding a Webfinger resolution step and making no changes to the OpenID spec.<br>
The RP might want to implement Webfinger, anyway, in order to discover<br>
information about the user, such as his name, picture, or other information<br>
he wants to share with the world.<br>
<br>
Paul<br>
<br>
<br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
<div><div></div><div class="h5"><a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><a href="http://hi.im/santosh">http://hi.im/santosh</a><br><br><br>
</div>