Some openid.delegate questions
meepbear at hotmail.com
Tue Jun 28 05:26:32 PDT 2005
I know there was part of a thread specifically about openid.delegate but
with the recent bubble of activity the last two days I can't seem to find it
The example script had initially given me a completely different idea of
what delegation meant so I'm wondering if there's any current guideline as
to what the consumer is supposed to report back.
Using the example for the new spec: http://bob.com wishes to ID but does so
by delegating it to LiveJournal claiming to be http://bob.livejournal.com.
My problem is that if I return that Bob's ID is http://bob.com and not
http://bob.livejournal.com then Bob is homefree when it comes to banning.
It's clear that if someone wants to prevent Bob from (as an example) posting
comments that bob.livejournal.com should be banned and not bob.com since
that's not actually a valid OpenID identity but merely a zero-cost
If I return that Bob's ID url is http://bob.livejournal.com then I defeat
the whole purpose behind delegation since each comment would be 'signed'
with bob.livejournal.com and there would be no trace of bob.com anywhere.
If I return both then it adds a whole level of extra recordkeeping for
whichever application interfaces with the consumer since they now have to
keep track of 2 URLs with different entirely different meanings.
Related, what do I do when Bob puts http://bob.com/myopenid/ which returns a
302 'Location: bob.livejournal.com'?
Currently I'm interpreting it as an "implied delegation" case (which means I
return that Bob's ID is really bob.livejournal.com and not
bob.com/myopenid/) but according to the spec it wouldn't be a delegation at
all even though in reality it has the same net effect.
More information about the yadis