Super all-comprehensive specs/overview page
brad at danga.com
Sun Jun 26 18:25:05 PDT 2005
On Mon, 27 Jun 2005, Martin Atkins wrote:
> A couple of concerns...
> Regarding the identity delegation stuff, it says that in order to
> declare delegation you must include the following:
> <link rel="openid.server"
> <link rel="openid.delegate"
> However, not much detail is given other than that. Am I right that the
> consumer then just proceeds as normal but asks for
> http://bob.livejournal.com/ instead of http://bob.com/? There are no
> extra requests to fetch http://bob.livejournal.com/, right?
Correct. No extra requests.
> So now it's the consumer's responsibility to remember that
> http://bob.livejournal.com/ really wants to be called http://bob.com/,
> even though the identity server is going to come back talking about
> http://bob.livejournal.com/. This is kinda backwards from how it worked
> with the old protocol, but I see the logic here.
> Also, this sentence confuses me:
> The consumer then parses the head section and finds the
> openid.server and (optionally) the openid.delegate declarations.
> Surely all consumers must support openid.delegate?
They MUST. Wording updated.
> Also, for check_authentication:
> Send all the openid.* response parameters you'd previously gotten
> back from a "checkid_*" request, with their values being exactly
> what you got back. For example, send "openid.identity",
> "openid.assoc_handle", "openid.issued", "openid.valid_to",
> "openid.return_to", "openid.signed", "openid.sig", ...
> I'm not sure I like this "send back whatever you got" thing. Am I
> supposed to check all of the request args and see which ones start with
> openid., or is it sufficient just to use the ones listed here?
Updated the docs, and found that Net::OpenID::Consumer doesn't follow my
own advise, which is to send:
openid.mode = check_authentication
Where * is everything in "signed".
> There are also a few places where "client" is used where "consumer" is
> more appropriate. I think avoiding the word "client" altogether is best,
> as it's often confusing as to whether the consumer or the user-agent are
> being the client at this point.
All three changed to either end user or consumer.
More information about the yadis