Arguments passed with openid.mode=id_res incomplete?

Martin Atkins mart at degeneration.co.uk
Wed Jun 15 20:37:30 PDT 2005


Grant Monroe wrote:
> On 6/15/05, Martin Atkins <mart at degeneration.co.uk> wrote:
> 
>>The server must retrieve the document from the identity URL again to
>>discover the identity server URL. This step is important because
>>otherwise I could have my identity server assert your identity. This
>>extra bit of hoop-jumping ensures that the identity URL does indeed
>>declare a particular identity server as trusted.
>>
> 
> 
> If this is the case, then this extra request should probably be added
> to the spec.

(I'm guessing you intended your reply to go to the list)

The extra request isn't necessarily required. Many more beefy consumers
will no doubt store some tracking information and put some kind of token
in the return URL so that they don't have to retrieve the identity URL a
second time.

However, you're right that there should be some words about the
different options consumers have for this point in the transaction.



More information about the yadis mailing list