Some openid.delegate questions

meepbear * meepbear at hotmail.com
Tue Jun 28 05:26:32 PDT 2005


I know there was part of a thread specifically about openid.delegate but 
with the recent bubble of activity the last two days I can't seem to find it 
:).

The example script had initially given me a completely different idea of 
what delegation meant so I'm wondering if there's any current guideline as 
to what the consumer is supposed to report back.

Using the example for the new spec: http://bob.com wishes to ID but does so 
by delegating it to LiveJournal claiming to be http://bob.livejournal.com.

My problem is that if I return that Bob's ID is http://bob.com and not 
http://bob.livejournal.com then Bob is homefree when it comes to banning. 
It's clear that if someone wants to prevent Bob from (as an example) posting 
comments that bob.livejournal.com should be banned and not bob.com since 
that's not actually a valid OpenID identity but merely a zero-cost 
replaceable URL.

If I return that Bob's ID url is http://bob.livejournal.com then I defeat 
the whole purpose behind delegation since each comment would be 'signed' 
with bob.livejournal.com and there would be no trace of bob.com anywhere.

If I return both then it adds a whole level of extra recordkeeping for 
whichever application interfaces with the consumer since they now have to 
keep track of 2 URLs with different entirely different meanings.

Related, what do I do when Bob puts http://bob.com/myopenid/ which returns a 
302 'Location: bob.livejournal.com'?
Currently I'm interpreting it as an "implied delegation" case (which means I 
return that Bob's ID is really bob.livejournal.com and not 
bob.com/myopenid/) but according to the spec it wouldn't be a delegation at 
all even though in reality it has the same net effect.




More information about the yadis mailing list