Super all-comprehensive specs/overview page

Brad Fitzpatrick brad at danga.com
Sun Jun 26 18:25:05 PDT 2005


On Mon, 27 Jun 2005, Martin Atkins wrote:

> A couple of concerns...
>
> Regarding the identity delegation stuff, it says that in order to
> declare delegation you must include the following:
> <link rel="openid.server"
>       href="http://www.livejournal.com/openid/server.bml">
> <link rel="openid.delegate"
>       href="http://bob.livejournal.com/">
>
> However, not much detail is given other than that. Am I right that the
> consumer then just proceeds as normal but asks for
> http://bob.livejournal.com/ instead of http://bob.com/? There are no
> extra requests to fetch http://bob.livejournal.com/, right?

Correct.  No extra requests.

> So now it's the consumer's responsibility to remember that
> http://bob.livejournal.com/ really wants to be called http://bob.com/,
> even though the identity server is going to come back talking about
> http://bob.livejournal.com/. This is kinda backwards from how it worked
> with the old protocol, but I see the logic here.

Yes, correct.

> Also, this sentence confuses me:
>     The consumer then parses the head section and finds the
>     openid.server and (optionally) the openid.delegate declarations.
>
> Surely all consumers must support openid.delegate?

They MUST.  Wording updated.


> Also, for check_authentication:
>     Send all the openid.* response parameters you'd previously gotten
>     back from a "checkid_*" request, with their values being exactly
>     what you got back. For example, send "openid.identity",
>     "openid.assoc_handle", "openid.issued", "openid.valid_to",
>     "openid.return_to", "openid.signed", "openid.sig", ...
>
> I'm not sure I like this "send back whatever you got" thing. Am I
> supposed to check all of the request args and see which ones start with
> openid., or is it sufficient just to use the ones listed here?

Updated the docs, and found that Net::OpenID::Consumer doesn't follow my
own advise, which is to send:

  openid.mode = check_authentication
  openid.sig
  openid.signed
  openid.*

Where * is everything in "signed".

> There are also a few places where "client" is used where "consumer" is
> more appropriate. I think avoiding the word "client" altogether is best,
> as it's often confusing as to whether the consumer or the user-agent are
> being the client at this point.

All three changed to either end user or consumer.

Thanks!

- Brad


More information about the yadis mailing list