So I'd like my employer (for discussion purposes, The Great Plumbers Association, http://plumbers.co) to act as an OpenID OP. I want all our plumber members to use the same OP URL for OpenID authentication, let's say https://id.plumbers.co/
So the RP doesn't try XRI Resolution, and Yadis fails because we only support HTML Discovery. When the RP requests https://id.plumbers.co/ for HTML Discovery, per 7.3.3, we deliver a document with <link rel="openid2.provider" href="https://id.plumbers.co/"; /> <link rel="openid2.local_id" href="http://specs.openid.net/auth/2.0/identifier_select"; /> For normal authentication, the RP then has to send "https://id.plumbers.co/"; as the claimed_id and "http://specs.openid.net/auth/2.0/identifier_select"; as the identity param, per 9.1. This allows our OP (per 10) to choose a unique OP-Local Identifier for the user. Is that right? We could return an identifier of "http://pin1234567890.id.plumbers.co"; or "https://id.plumbers.co/4c1ab4630af439e0c9be33be9615d165";, or whatever. Would we put the OP-Local Identifier in both openid.claimed_id *and* openid.identity? I'm confused about section 10.1's discussion of openid.claimed_id: "Note: The end user MAY choose to use an OP-Local Identifier as a Claimed Identifier." This reads like a slight restatement of the earlier language suggesting users' choosing their own OP-Local Identifier (section 10, "If the relying party requested OP-driven identifier selection... the OP SHOULD allow the end user to choose which Identifier to use."), but it's subtly different and suggests two things to me: 1) a user interface requirement on the OP side (the user cannot choose an identifier after the RP authentication request and before the OP's authentication response unless the OP has some sort of user interface to allow the user to make such a choice, so this looks like it might be equivalent to something like "the OP MUST allow the end user to choose an OP-Local Identifier for use in the response" 2) that the OP might return a Claimed ID of the user's choosing even if the RP did not send the identifier_select identity request param Should this read "The OP MAY allow the end user to choose an OP-Local Identifier as a Claimed Identifier if there are multiple Identifiers for which the end user is authorized to issue authentication responses and the relying party requested OP-driven identifier selection by setting "openid.identity" to "http://specs.openid.net/auth/2.0/identifier_select""; Also, this "MAY" language suggests that openid.claimed_id in the response can itself be an OP-Local Identifier and differ from the openid.claimed_id value that the RP passed in the authentication request. Is that correct? In an OpenID 2.0 transaction, if openid.claimed_id and openid.identity in the response differ, which value is the RP to use as the user's URL? Could the draft be updated to clarify the uses of these two response items? Thanks, Peter _______________________________________________ specs mailing list [email protected] http://openid.net/mailman/listinfo/specs
