Blog URI, is it necessary?
Brad Fitzpatrick
brad at danga.com
Fri May 20 10:15:52 PDT 2005
On Fri, 20 May 2005, Ben Hyde wrote:
> On May 20, 2005, at 12:01 PM, ydnar wrote:
> > An OpenID server is vouching for the person using the browser,
> > asserting they own/control the input URL.
>
> Must it to do both?
>
> > Alice needs to provide a unique URL that she has implied control over.
> > This keeps a 1:1 mapping between a URL and a "user." LiveJournal can't
> > go around asserting http://livejournal.com for everyone.
>
> What would that break?
>
> Longer form: what would break if the returned openid.assert_identity
> wasn't identical to sent openid.is_identity?
Up to the consumer, but it's bad behavior on the identity server's part
because the consumer will probably reject it.
Consider:
-- user enters identity URL in a comment form
-- presses validate, does AJAX validate and puts the digest in a hidden
form field
-- presses submit
-- server-side process validates signature, gets public key from identity
server, validates (probably from cache) that the identity URL provided
does point to the identity server that was hit. Now, even if the
identity server gave returned a differnet identity URL, and even
if that alternative identity URL pointed at the identity server,
the application MIGHT not have updates its identity URL form field
when the identity server returned. it might have only stashed away
in hidden fields the timestamp and signature.
So guys, what should be the recommendation here? We have to tell
consumers in the spec whether or not they should be prepared for the
assert_identity value changing.
- Brad
More information about the yadis
mailing list