I've been reviewing Draft 12, and noticed this section, which I think will
cause problems for some systems.
9.2.1. Using the Realm for Return URL Verification
OpenID providers SHOULD verify that the return_to URL specified in the
request is an OpenID relying party endpoint. To verify a
On 29/10/2007, John Ehn [EMAIL PROTECTED] wrote:
I've been reviewing Draft 12, and noticed this section, which I think will
cause problems for some systems.
9.2.1. Using the Realm for Return URL Verification
OpenID providers SHOULD verify that the return_to URL specified in the
request is
Okay. Can we re-word it then so it's more explicitly stated? I.E.:
Attempt discovery.
If discovery succeeds, ensure return_to URL is specified in the XRDS
document. If not present, always return negative assertion.
If discovery fails, assume return_to URL is valid and return assertion.