Chris,
I'm not sure I follow the distinction you're making — what is the
difference between "concept of integration with the user's session
at the identity provider" and the "user's choice of identity
provider"?
While the token/cookie stored via XAuth in the browser's
localStorage may contain whatever information the identity/service
provider wishes to include, my suspicion is that most IDPs and SPs
will just indicate that a session exists at a particular provider.
That *is* the main distinction I see on quick glance. It includes a
variety of information that an identity or service provider would want
to include. The discovery service caches nothing more than an
untrusted decision by the user regarding which identity provider
they'd like to use.
XAuth may be storing highly trusted information, in providing an
indexical reference to the specific session from which, among other
things, to pull attributes.
Even the indication of an extant session, depending on how it's used
by the SP/RP and OP/IdP once it's received (e.g. a direct query for
more information, rather than the IdP/OP doing a further check to
ensure the user does control that session), can be sensitive
information.
I'd be interested in knowing more about your experience here — and
what adoption pitfalls you've run into, and whether it's likely that
the central service is likely to go away any time soon.
The biggest pitfall is that we have many different DS services
scattered around the world, each of which has a heterogenous set of
providers listed and trusted. This is often for good
reasons(different national laws, different sets of trusted providers,
different trust frameworks, privacy concerns) and often for other
kinds of reasons(branding, parochial control, lack of cooperation, no
eagerness to make a list of 1000 providers into a list of 5000
providers, or otherwise complicate the interface for initial
selection) but we've had a terrible time breaking that impasse.
We've tried to get the central service to go away on belief that the
SP/RP will have the best knowledge of the IdP's it wants to deal with,
and the best knowledge of how to integrate discovery with their own
user experience, and that smart clients would be here real soon now.
I'm more of a believer in the value of a discovery service than most
in the academic community because I do think it provides a lot of value.
But I anticipate that a third party storing even the evidence that
there is an active session at the IdP would be a very difficult sell
to the campuses, particularly in Europe.
I could go on for pages on this topic, sadly...
Nate.
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
