Some openid.delegate questions

meepbear * meepbear at
Tue Jun 28 05:26:32 PDT 2005

I know there was part of a thread specifically about openid.delegate but 
with the recent bubble of activity the last two days I can't seem to find it 

The example script had initially given me a completely different idea of 
what delegation meant so I'm wondering if there's any current guideline as 
to what the consumer is supposed to report back.

Using the example for the new spec: wishes to ID but does so 
by delegating it to LiveJournal claiming to be

My problem is that if I return that Bob's ID is and not then Bob is homefree when it comes to banning. 
It's clear that if someone wants to prevent Bob from (as an example) posting 
comments that should be banned and not since 
that's not actually a valid OpenID identity but merely a zero-cost 
replaceable URL.

If I return that Bob's ID url is then I defeat 
the whole purpose behind delegation since each comment would be 'signed' 
with and there would be no trace of anywhere.

If I return both then it adds a whole level of extra recordkeeping for 
whichever application interfaces with the consumer since they now have to 
keep track of 2 URLs with different entirely different meanings.

Related, what do I do when Bob puts which returns a 
302 'Location:'?
Currently I'm interpreting it as an "implied delegation" case (which means I 
return that Bob's ID is really and not but according to the spec it wouldn't be a delegation at 
all even though in reality it has the same net effect.

More information about the yadis mailing list