Super all-comprehensive specs/overview page

Brad Fitzpatrick brad at
Sun Jun 26 18:25:05 PDT 2005

On Mon, 27 Jun 2005, Martin Atkins wrote:

> A couple of concerns...
> Regarding the identity delegation stuff, it says that in order to
> declare delegation you must include the following:
> <link rel="openid.server"
>       href="">
> <link rel="openid.delegate"
>       href="">
> However, not much detail is given other than that. Am I right that the
> consumer then just proceeds as normal but asks for
> instead of There are no
> extra requests to fetch, right?

Correct.  No extra requests.

> So now it's the consumer's responsibility to remember that
> really wants to be called,
> even though the identity server is going to come back talking about
> This is kinda backwards from how it worked
> with the old protocol, but I see the logic here.

Yes, correct.

> Also, this sentence confuses me:
>     The consumer then parses the head section and finds the
>     openid.server and (optionally) the openid.delegate declarations.
> Surely all consumers must support openid.delegate?

They MUST.  Wording updated.

> Also, for check_authentication:
>     Send all the openid.* response parameters you'd previously gotten
>     back from a "checkid_*" request, with their values being exactly
>     what you got back. For example, send "openid.identity",
>     "openid.assoc_handle", "openid.issued", "openid.valid_to",
>     "openid.return_to", "openid.signed", "openid.sig", ...
> I'm not sure I like this "send back whatever you got" thing. Am I
> supposed to check all of the request args and see which ones start with
> openid., or is it sufficient just to use the ones listed here?

Updated the docs, and found that Net::OpenID::Consumer doesn't follow my
own advise, which is to send:

  openid.mode = check_authentication

Where * is everything in "signed".

> There are also a few places where "client" is used where "consumer" is
> more appropriate. I think avoiding the word "client" altogether is best,
> as it's often confusing as to whether the consumer or the user-agent are
> being the client at this point.

All three changed to either end user or consumer.


- Brad

More information about the yadis mailing list