(sorry for responding to myself.) Martin Atkins wrote: > > Another similar and perhaps more likely case is when a user does > 2.0-style delegation to a clavid.com identifier, omitting the 1.1-style > delegation. Net::OpenID::Consumer with 1.1 compatibility enabled fails > in this case because the 1.1 "version" of the OP does not appear in the > list of discovered providers. >
In fact, having read my logs in a little more detail, I see that this mid-flow switch actually breaks delegation altogether in Net::OpenID, because in the 1.1 case we put the user's identifier in an "oic.identity" argument inside the return URL, but in the 2.0 case we use the standard openid.claimed_id argument instead. For clavid.com, we send out the 2.0 request with openid.claimed_id, but when they send back their 1.1 response openid.claimed_id is not available and their server doesn't know (and shouldn't know) about our non-standard oic.identity argument. Having noticed this I'm pretty convinced that switching versions mid-exchange is harmful and should be explicitly forbidden by the specification; I don't think there's really any way that a mid-exchange switch could be specified that didn't suffer from this flaw. _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs