On 04/02/2008, Eddy Nigg (StartCom Ltd.) <[EMAIL PROTECTED]> wrote: > > James Henstridge wrote: > > Of course, the OP is restricted to returning identities that it is > > authoritative for. This is what allows any yahoo user to enter > > "yahoo.com" as their OpenID identifier while still letting RPs tell > > them apart. > > Right, that's what I thought...What does it have to return however? > Is it enough to return [openid_identity] => https://somenick.domain.com/, > [openid_claimed_id] => https://domain.com/ ?
That is possible provided that performing discovery on https://domain.com/ gives you https://somenick.domain.com/ as the OP local identifier and uses the given OP. When selecting an identifier, the OP chooses both the local identifier (openid.identifier) and claimed ID (openid.claimed_id). > > My point was that in cases where you do want to limit things to a > > single OP, it is worth considering this mode, since it does not > > require the user to enter any credentials (username or password) at > > the RP site. > > Yes, that is rather easy. Somewhat more tricky gets when you want to > use a group of providers and ban certain providers. All doable, but not > standardized yet....e.g. white/black lists. As Kevin said, you can always apply that kind of policy at the end of authentication process. You can do that with either OpenID 1.x or 2.0. James. _______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs