On 04/02/2008, Eddy Nigg (StartCom Ltd.) <[EMAIL PROTECTED]> wrote:
> > James Henstridge wrote:
> > Of course, the OP is restricted to returning identities that it is
> > authoritative for.  This is what allows any yahoo user to enter
> > "yahoo.com" as their OpenID identifier while still letting RPs tell
> > them apart.
>
> Right, that's what I thought...What does it have to return however?
> Is it enough to return [openid_identity] => https://somenick.domain.com/,
> [openid_claimed_id] => https://domain.com/ ?

That is possible provided that performing discovery on
https://domain.com/ gives you https://somenick.domain.com/ as the OP
local identifier and uses the given OP.

When selecting an identifier, the OP chooses both the local identifier
(openid.identifier) and claimed ID (openid.claimed_id).


> > My point was that in cases where you do want to limit things to a
> > single OP, it is worth considering this mode, since it does not
> > require the user to enter any credentials (username or password) at
> > the RP site.
>
> Yes, that is rather easy. Somewhat more tricky gets when you want to
> use a group of providers and ban certain providers. All doable, but not
> standardized yet....e.g. white/black lists.

As Kevin said, you can always apply that kind of policy at the end of
authentication process.  You can do that with either OpenID 1.x or
2.0.

James.
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to