RE: Discussion: RP Yadis URL?
Right, I'd agree with that. This would just be the first case where the Auth spec doesn't provide at least one service type for the file. In any case, adding the ability seems important. --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Atkins Sent: Monday, October 16, 2006 12:37 AM To: specs@openid.net Subject: Re: Discussion: RP Yadis URL? Recordon, David wrote: > > I'm torn if this parameter should be added to the spec at this time or > not. Adding the parameter is conceptually simple, though I don't > think there is agreement on what the RP should be publishing in their > Yadis file. There is the section > http://openid.net/specs/openid-authentication-2_0-10.html#anchor42 > which has the RP publish a return_to URL, though the section was meant > to be removed as that URL may not be the right entry point to start a > transaction. > I would say that what's inside the Yadis document is outside the scope of OpenID Auth. It's simply a hook to enable extensions that must be instrumented at the RP side. In other words, OpenID auth just needs to specify how to find an RP's Yadis document. The rest is for other people to figure out. That is the point of Yadis, after all. (and then this IdP-initiated login thing could be an extension built upon this ability, and thus not hold up Auth 2.0.) ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Discussion: RP Yadis URL?
Recordon, David wrote: > > I'm torn if this parameter should be added to the spec at this time or > not. Adding the parameter is conceptually simple, though I don't think > there is agreement on what the RP should be publishing in their Yadis > file. There is the section > http://openid.net/specs/openid-authentication-2_0-10.html#anchor42 which > has the RP publish a return_to URL, though the section was meant to be > removed as that URL may not be the right entry point to start a > transaction. > I would say that what's inside the Yadis document is outside the scope of OpenID Auth. It's simply a hook to enable extensions that must be instrumented at the RP side. In other words, OpenID auth just needs to specify how to find an RP's Yadis document. The rest is for other people to figure out. That is the point of Yadis, after all. (and then this IdP-initiated login thing could be an extension built upon this ability, and thus not hold up Auth 2.0.) ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: Discussion: RP Yadis URL?
Well it seems like this would make sense for the RP to send during the "associate" request versus with every "checkid_*" request. I'm torn if this parameter should be added to the spec at this time or not. Adding the parameter is conceptually simple, though I don't think there is agreement on what the RP should be publishing in their Yadis file. There is the section http://openid.net/specs/openid-authentication-2_0-10.html#anchor42 which has the RP publish a return_to URL, though the section was meant to be removed as that URL may not be the right entry point to start a transaction. So I'm 0 for adding it, but against either: A) Delaying the spec to figure out what the RP should publish B) Acting rashly to figure out what the RP should publish So I'd propose the "openid.yadis_location" parameter be added with the description of "URL of the Relying Party's Yadis discovery document describing services the Relying Party provides. At this time, the exact list of services has not been defined, though due to the nature of the protocol they can be defined seperatly." Though writing that just makes all the interoperability warnings go off in my head. I'd rather see us do this right or not do it at all right now. --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drummond Reed Sent: Sunday, October 15, 2006 9:59 AM To: 'Johannes Ernst'; specs@openid.net Subject: RE: Discussion: RP Yadis URL? +1. All of the "defined algorithms for obtaining the XRDS document" from either a URL or XRI will be going into Working Draft 11 of XRI Resolution 2.0 starting this week. So it seems all the OpenID Authentication 2.0 spec needs to specify is that they work against the return_to URL. =Drummond -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Johannes Ernst Sent: Sunday, October 15, 2006 12:00 AM To: specs@openid.net Subject: Re: Discussion: RP Yadis URL? Yes. Or any of the other defined algorithms for obtaining the XRDS file, given the return_to URL. On Oct 14, 2006, at 23:50, Dick Hardt wrote: > I assume you are referring to the return_to URL? > > Current libraries add all kinds of parameters to that URL, would you > be suggesting that the IdP does a GET on the return_to URL with > content-type of XRDS? > > If so, then we should add that to the spec. I'd then like to get clear > on what would need to be in the Yadis file for indicating the > login_url. > > -- Dick > > On 14-Oct-06, at 11:43 PM, Johannes Ernst wrote: > >> Given that the RP has at least one URL, we can perform regular Yadis >> discovery on it. (Likely, all of the RP's URLs point to the same >> Yadis document.) >> >> I don't think an extension to the protocol is needed. >> >> On Oct 14, 2006, at 22:39, Dick Hardt wrote: >> >>> Currently there is no method for the IdP to learn anything about the >>> RP. As a path for extensibility, would anyone have a problem with >>> having an optional parameter in the AuthN Request for the location >>> of the RP's Yadis document? >>> >>> -- Dick >>> ___ >>> specs mailing list >>> specs@openid.net >>> http://openid.net/mailman/listinfo/specs >> >> Johannes Ernst >> NetMesh Inc. >> >> >> http://netmesh.info/jernst >> >> >> >> >> ___ >> specs mailing list >> specs@openid.net >> http://openid.net/mailman/listinfo/specs Johannes Ernst NetMesh Inc. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Re[4]: Discussion: RP Yadis URL?
On 15-Oct-06, at 10:54 AM, Chris Drake wrote: > Hi Dick, > > 1. IdP's "advertising" a list of sites that accept OpenID - like the >way PayPal list stores that accept their currency I guess. It's >annoying to a user to have to come back to the place they just >clicked in order to click a second time in order to go where they >wanted to in the first place... Better to send them where they >want when they click the first time... Since this list is made by the IdP, the IdP will know the RP and can easily get the login_url > 2. Privacy and delegation: if we force the user to initially interact >with the RP, this gives the RP the opportunity to profile our >users, start collecting (and sharing with other RPs) correlating >information about them, and otherwise destroys IdP ability to >protect user privacy. If the RP is given just the IdP, then I think we have minimized what the RP wants. The user is choosing they want to interact with the RP, and the RP will know the IdP at some point anyway. Is there something I am missing? > > Basically - this comes back to your "Discussion: bookmark login url > discovery" message - and for the sake of additionally supporting > future security enhancements (eg: anti-phishing), I'd recommend we > place something inside the RP's login page, like a or > tag, for browser agents to use, or IdPs to find via referrer > URLs. I think doing XRDS discovery on the URLs reuses existing tech and solves the problem. -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re[4]: Discussion: RP Yadis URL?
Hi Dick, 1. IdP's "advertising" a list of sites that accept OpenID - like the way PayPal list stores that accept their currency I guess. It's annoying to a user to have to come back to the place they just clicked in order to click a second time in order to go where they wanted to in the first place... Better to send them where they want when they click the first time... 2. Privacy and delegation: if we force the user to initially interact with the RP, this gives the RP the opportunity to profile our users, start collecting (and sharing with other RPs) correlating information about them, and otherwise destroys IdP ability to protect user privacy. Basically - this comes back to your "Discussion: bookmark login url discovery" message - and for the sake of additionally supporting future security enhancements (eg: anti-phishing), I'd recommend we place something inside the RP's login page, like a or tag, for browser agents to use, or IdPs to find via referrer URLs. Kind Regards, Chris Drake Monday, October 16, 2006, 3:36:53 AM, you wrote: DH> Hi Chris DH> Would you clarify these IdP initiated scenarios? DH> I envisioned that an IdP learned of an RP from the user have an DH> initial interaction with the RP. The IdP would then save the RP URL DH> for later use in case the user wanted to go back to the RP directly DH> from the IdP. DH> -- Dick DH> On 15-Oct-06, at 10:30 AM, Chris Drake wrote: >> Hi Drummond, >> >> Don't forget we'll need some way for an IdP to discover the return_to >> URL from an RP in the IdP-initiated scenarios (I'd suggest a META or >> LINK tag in the web page that the RP displays for accepting a login, >> so an IdP (or browser plugin agent!) can "discover" this by parsing >> the referrer page directly. There's a lot of anti-phishing work >> taking place right now: such a scheme would allow OpenID instant >> access to these new standards too.) >> >> Kind Regards, >> Chris Drake >> >> >> Monday, October 16, 2006, 2:59:12 AM, you wrote: >> >> DR> +1. All of the "defined algorithms for obtaining the XRDS >> document" from >> DR> either a URL or XRI will be going into Working Draft 11 of XRI >> Resolution >> DR> 2.0 starting this week. So it seems all the OpenID >> Authentication 2.0 spec >> DR> needs to specify is that they work against the return_to URL. >> >> DR> =Drummond >> >> DR> -Original Message- >> DR> From: [EMAIL PROTECTED] >> DR> [mailto:[EMAIL PROTECTED] On Behalf >> DR> Of Johannes Ernst >> DR> Sent: Sunday, October 15, 2006 12:00 AM >> DR> To: specs@openid.net >> DR> Subject: Re: Discussion: RP Yadis URL? >> >> DR> Yes. Or any of the other defined algorithms for obtaining the XRDS >> DR> file, given the return_to URL. >> >> DR> On Oct 14, 2006, at 23:50, Dick Hardt wrote: >> >>>> I assume you are referring to the return_to URL? >>>> >>>> Current libraries add all kinds of parameters to that URL, would >>>> you be suggesting that the IdP does a GET on the return_to URL with >>>> content-type of XRDS? >>>> >>>> If so, then we should add that to the spec. I'd then like to get >>>> clear on what would need to be in the Yadis file for indicating the >>>> login_url. >>>> >>>> -- Dick >>>> >>>> On 14-Oct-06, at 11:43 PM, Johannes Ernst wrote: >>>> >>>>> Given that the RP has at least one URL, we can perform regular >>>>> Yadis discovery on it. (Likely, all of the RP's URLs point to the >>>>> same Yadis document.) >>>>> >>>>> I don't think an extension to the protocol is needed. >>>>> >>>>> On Oct 14, 2006, at 22:39, Dick Hardt wrote: >>>>> >>>>>> Currently there is no method for the IdP to learn anything >>>>>> about the >>>>>> RP. As a path for extensibility, would anyone have a problem with >>>>>> having an optional parameter in the AuthN Request for the >>>>>> location of >>>>>> the RP's Yadis document? >>>>>> >>>>>> -- Dick >>>>>> ___ >>>>>> specs mailing list >>>>>> specs@openid.net >>>>>> http://openid.net/mailman/listinfo/specs >>>>> >>>>> Johannes Ernst >>>>> NetMesh Inc. >>>>> >>>>> >>>>> http://netmesh.info/jernst >>>>> >>>>> >>>>> >>>>> >>>>> ___ >>>>> specs mailing list >>>>> specs@openid.net >>>>> http://openid.net/mailman/listinfo/specs >> >> DR> Johannes Ernst >> DR> NetMesh Inc. >> >> >> DR> ___ >> DR> specs mailing list >> DR> specs@openid.net >> DR> http://openid.net/mailman/listinfo/specs >> >> >> >> ___ >> specs mailing list >> specs@openid.net >> http://openid.net/mailman/listinfo/specs >> >> ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Re[2]: Discussion: RP Yadis URL?
Hi Chris Would you clarify these IdP initiated scenarios? I envisioned that an IdP learned of an RP from the user have an initial interaction with the RP. The IdP would then save the RP URL for later use in case the user wanted to go back to the RP directly from the IdP. -- Dick On 15-Oct-06, at 10:30 AM, Chris Drake wrote: > Hi Drummond, > > Don't forget we'll need some way for an IdP to discover the return_to > URL from an RP in the IdP-initiated scenarios (I'd suggest a META or > LINK tag in the web page that the RP displays for accepting a login, > so an IdP (or browser plugin agent!) can "discover" this by parsing > the referrer page directly. There's a lot of anti-phishing work > taking place right now: such a scheme would allow OpenID instant > access to these new standards too.) > > Kind Regards, > Chris Drake > > > Monday, October 16, 2006, 2:59:12 AM, you wrote: > > DR> +1. All of the "defined algorithms for obtaining the XRDS > document" from > DR> either a URL or XRI will be going into Working Draft 11 of XRI > Resolution > DR> 2.0 starting this week. So it seems all the OpenID > Authentication 2.0 spec > DR> needs to specify is that they work against the return_to URL. > > DR> =Drummond > > DR> -Original Message- > DR> From: [EMAIL PROTECTED] > DR> [mailto:[EMAIL PROTECTED] On Behalf > DR> Of Johannes Ernst > DR> Sent: Sunday, October 15, 2006 12:00 AM > DR> To: specs@openid.net > DR> Subject: Re: Discussion: RP Yadis URL? > > DR> Yes. Or any of the other defined algorithms for obtaining the XRDS > DR> file, given the return_to URL. > > DR> On Oct 14, 2006, at 23:50, Dick Hardt wrote: > >>> I assume you are referring to the return_to URL? >>> >>> Current libraries add all kinds of parameters to that URL, would >>> you be suggesting that the IdP does a GET on the return_to URL with >>> content-type of XRDS? >>> >>> If so, then we should add that to the spec. I'd then like to get >>> clear on what would need to be in the Yadis file for indicating the >>> login_url. >>> >>> -- Dick >>> >>> On 14-Oct-06, at 11:43 PM, Johannes Ernst wrote: >>> >>>> Given that the RP has at least one URL, we can perform regular >>>> Yadis discovery on it. (Likely, all of the RP's URLs point to the >>>> same Yadis document.) >>>> >>>> I don't think an extension to the protocol is needed. >>>> >>>> On Oct 14, 2006, at 22:39, Dick Hardt wrote: >>>> >>>>> Currently there is no method for the IdP to learn anything >>>>> about the >>>>> RP. As a path for extensibility, would anyone have a problem with >>>>> having an optional parameter in the AuthN Request for the >>>>> location of >>>>> the RP's Yadis document? >>>>> >>>>> -- Dick >>>>> ___ >>>>> specs mailing list >>>>> specs@openid.net >>>>> http://openid.net/mailman/listinfo/specs >>>> >>>> Johannes Ernst >>>> NetMesh Inc. >>>> >>>> >>>> http://netmesh.info/jernst >>>> >>>> >>>> >>>> >>>> ___ >>>> specs mailing list >>>> specs@openid.net >>>> http://openid.net/mailman/listinfo/specs > > DR> Johannes Ernst > DR> NetMesh Inc. > > > DR> ___ > DR> specs mailing list > DR> specs@openid.net > DR> http://openid.net/mailman/listinfo/specs > > > > ___ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs > > ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re[2]: Discussion: RP Yadis URL?
Hi Drummond, Don't forget we'll need some way for an IdP to discover the return_to URL from an RP in the IdP-initiated scenarios (I'd suggest a META or LINK tag in the web page that the RP displays for accepting a login, so an IdP (or browser plugin agent!) can "discover" this by parsing the referrer page directly. There's a lot of anti-phishing work taking place right now: such a scheme would allow OpenID instant access to these new standards too.) Kind Regards, Chris Drake Monday, October 16, 2006, 2:59:12 AM, you wrote: DR> +1. All of the "defined algorithms for obtaining the XRDS document" from DR> either a URL or XRI will be going into Working Draft 11 of XRI Resolution DR> 2.0 starting this week. So it seems all the OpenID Authentication 2.0 spec DR> needs to specify is that they work against the return_to URL. DR> =Drummond DR> -Original Message- DR> From: [EMAIL PROTECTED] DR> [mailto:[EMAIL PROTECTED] On Behalf DR> Of Johannes Ernst DR> Sent: Sunday, October 15, 2006 12:00 AM DR> To: specs@openid.net DR> Subject: Re: Discussion: RP Yadis URL? DR> Yes. Or any of the other defined algorithms for obtaining the XRDS DR> file, given the return_to URL. DR> On Oct 14, 2006, at 23:50, Dick Hardt wrote: >> I assume you are referring to the return_to URL? >> >> Current libraries add all kinds of parameters to that URL, would >> you be suggesting that the IdP does a GET on the return_to URL with >> content-type of XRDS? >> >> If so, then we should add that to the spec. I'd then like to get >> clear on what would need to be in the Yadis file for indicating the >> login_url. >> >> -- Dick >> >> On 14-Oct-06, at 11:43 PM, Johannes Ernst wrote: >> >>> Given that the RP has at least one URL, we can perform regular >>> Yadis discovery on it. (Likely, all of the RP's URLs point to the >>> same Yadis document.) >>> >>> I don't think an extension to the protocol is needed. >>> >>> On Oct 14, 2006, at 22:39, Dick Hardt wrote: >>> >>>> Currently there is no method for the IdP to learn anything about the >>>> RP. As a path for extensibility, would anyone have a problem with >>>> having an optional parameter in the AuthN Request for the >>>> location of >>>> the RP's Yadis document? >>>> >>>> -- Dick >>>> ___ >>>> specs mailing list >>>> specs@openid.net >>>> http://openid.net/mailman/listinfo/specs >>> >>> Johannes Ernst >>> NetMesh Inc. >>> >>> >>> http://netmesh.info/jernst >>> >>> >>> >>> >>> ___ >>> specs mailing list >>> specs@openid.net >>> http://openid.net/mailman/listinfo/specs DR> Johannes Ernst DR> NetMesh Inc. DR> ___ DR> specs mailing list DR> specs@openid.net DR> http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: Discussion: RP Yadis URL?
+1. All of the "defined algorithms for obtaining the XRDS document" from either a URL or XRI will be going into Working Draft 11 of XRI Resolution 2.0 starting this week. So it seems all the OpenID Authentication 2.0 spec needs to specify is that they work against the return_to URL. =Drummond -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Johannes Ernst Sent: Sunday, October 15, 2006 12:00 AM To: specs@openid.net Subject: Re: Discussion: RP Yadis URL? Yes. Or any of the other defined algorithms for obtaining the XRDS file, given the return_to URL. On Oct 14, 2006, at 23:50, Dick Hardt wrote: > I assume you are referring to the return_to URL? > > Current libraries add all kinds of parameters to that URL, would > you be suggesting that the IdP does a GET on the return_to URL with > content-type of XRDS? > > If so, then we should add that to the spec. I'd then like to get > clear on what would need to be in the Yadis file for indicating the > login_url. > > -- Dick > > On 14-Oct-06, at 11:43 PM, Johannes Ernst wrote: > >> Given that the RP has at least one URL, we can perform regular >> Yadis discovery on it. (Likely, all of the RP's URLs point to the >> same Yadis document.) >> >> I don't think an extension to the protocol is needed. >> >> On Oct 14, 2006, at 22:39, Dick Hardt wrote: >> >>> Currently there is no method for the IdP to learn anything about the >>> RP. As a path for extensibility, would anyone have a problem with >>> having an optional parameter in the AuthN Request for the >>> location of >>> the RP's Yadis document? >>> >>> -- Dick >>> ___ >>> specs mailing list >>> specs@openid.net >>> http://openid.net/mailman/listinfo/specs >> >> Johannes Ernst >> NetMesh Inc. >> >> >> http://netmesh.info/jernst >> >> >> >> >> ___ >> specs mailing list >> specs@openid.net >> http://openid.net/mailman/listinfo/specs Johannes Ernst NetMesh Inc. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Discussion: RP Yadis URL?
Yes. Or any of the other defined algorithms for obtaining the XRDS file, given the return_to URL. On Oct 14, 2006, at 23:50, Dick Hardt wrote: I assume you are referring to the return_to URL? Current libraries add all kinds of parameters to that URL, would you be suggesting that the IdP does a GET on the return_to URL with content-type of XRDS? If so, then we should add that to the spec. I'd then like to get clear on what would need to be in the Yadis file for indicating the login_url. -- Dick On 14-Oct-06, at 11:43 PM, Johannes Ernst wrote: Given that the RP has at least one URL, we can perform regular Yadis discovery on it. (Likely, all of the RP's URLs point to the same Yadis document.) I don't think an extension to the protocol is needed. On Oct 14, 2006, at 22:39, Dick Hardt wrote: Currently there is no method for the IdP to learn anything about the RP. As a path for extensibility, would anyone have a problem with having an optional parameter in the AuthN Request for the location of the RP's Yadis document? -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs Johannes Ernst NetMesh Inc. http://netmesh.info/jernst ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs Johannes Ernst NetMesh Inc. http://netmesh.info/jernst ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Discussion: RP Yadis URL?
I assume you are referring to the return_to URL? Current libraries add all kinds of parameters to that URL, would you be suggesting that the IdP does a GET on the return_to URL with content-type of XRDS? If so, then we should add that to the spec. I'd then like to get clear on what would need to be in the Yadis file for indicating the login_url. -- Dick On 14-Oct-06, at 11:43 PM, Johannes Ernst wrote: > Given that the RP has at least one URL, we can perform regular > Yadis discovery on it. (Likely, all of the RP's URLs point to the > same Yadis document.) > > I don't think an extension to the protocol is needed. > > On Oct 14, 2006, at 22:39, Dick Hardt wrote: > >> Currently there is no method for the IdP to learn anything about the >> RP. As a path for extensibility, would anyone have a problem with >> having an optional parameter in the AuthN Request for the location of >> the RP's Yadis document? >> >> -- Dick >> ___ >> specs mailing list >> specs@openid.net >> http://openid.net/mailman/listinfo/specs > > Johannes Ernst > NetMesh Inc. > > > http://netmesh.info/jernst > > > > > ___ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Discussion: RP Yadis URL?
Given that the RP has at least one URL, we can perform regular Yadis discovery on it. (Likely, all of the RP's URLs point to the same Yadis document.) I don't think an extension to the protocol is needed. On Oct 14, 2006, at 22:39, Dick Hardt wrote: Currently there is no method for the IdP to learn anything about the RP. As a path for extensibility, would anyone have a problem with having an optional parameter in the AuthN Request for the location of the RP's Yadis document? -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs Johannes Ernst NetMesh Inc. http://netmesh.info/jernst ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Discussion: RP Yadis URL?
Currently there is no method for the IdP to learn anything about the RP. As a path for extensibility, would anyone have a problem with having an optional parameter in the AuthN Request for the location of the RP's Yadis document? -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs