Question: Yadis Service URIs in the OpenID Auth case
Martin Atkins
mart at degeneration.co.uk
Thu Aug 31 16:40:10 UTC 2006
Johannes Ernst wrote:
> On Aug 31, 2006, at 1:32, Martin Atkins wrote:
>
>> As it stands, it's not really clear how multiple URI elements (which,
>> if I'm not mistaken, are allowed in XRI) would work with OpenID, for
>> the same reasons that this wasn't included in OpenID 1.1 with the
>> openid.server LINK element.
>
> Not quite. For example, 2idi supports the IdP side of OpenID with XRIs,
> and they advertise two service endpoints for OpenID (which are
> identical, except that one is https and the other http -- a perfectly
> valid use case I'd think).
>
From memory, we came up with the following use-cases for multiple
server endpoints when we were discussing this before:
* Failover in the event that a server goes down
* Expose multiple IDPs so that relying parties can choose which to use
based on their own internal criteria, such as a blacklist on misbehaving
IDPs or whether both parties support SSL.
The http vs. https thing is a special case of the latter, I think.
The former was thrown out because there isn't really a reliable way for
a relying party to tell if a server endpoint is "down". (where "down"
also includes the case where the relying party can connect to it but the
user cannot, or where the identity process fails somewhere in the middle
when it's too late to back out and try another.)
The latter was never actually thrown out, but it was decided that the
implementation effort of supporting it outweighed the benefit. Much of
that argument has since been rendered invalid by the fact that OpenID
implementors must now support Yadis anyway, which is a lot more
complicated than this ever would have been.
So I suppose there's not really any harm in having it in there for the
latter use case, especially since I was voting in favour of it in the
previous discussion on those grounds. It should be made clear in the
spec that the relying party must select exactly one server endpoint,
though, to avoid people confusing for with a failover mechanism.
This sits nicely with the "security profiles" under current discussion,
too, since presumably relying parties are expected to reduce their
selection to services providing acceptable profiles.
More information about the yadis
mailing list