Arguments passed with openid.mode=id_res incomplete?
mart at degeneration.co.uk
Wed Jun 15 14:53:29 PDT 2005
Grant Monroe wrote:
> Correct me if I'm wrong, but it seems that the arguments passed along
> with openid.mode=id_res are insufficient. As far as I can tell, the
> consumer has no way of determining which openid server the GET request
> relates too. I don't think we can assume the assoc_handle uniquely
> identifies a single server. How is the consumer to determine which
> server the request is for?
The server must retrieve the document from the identity URL again to
discover the identity server URL. This step is important because
otherwise I could have my identity server assert your identity. This
extra bit of hoop-jumping ensures that the identity URL does indeed
declare a particular identity server as trusted.
More information about the yadis