Question: Yadis Service URIs in the OpenID Auth case

Martin Atkins mart at degeneration.co.uk
Thu Aug 31 16:40:10 UTC 2006


Johannes Ernst wrote:
> On Aug 31, 2006, at 1:32, Martin Atkins wrote:
> 
>> As it stands, it's not really clear how multiple URI elements (which, 
>> if I'm not mistaken, are allowed in XRI) would work with OpenID, for 
>> the same reasons that this wasn't included in OpenID 1.1 with the 
>> openid.server LINK element.
> 
> Not quite. For example, 2idi supports the IdP side of OpenID with XRIs, 
> and they advertise two service endpoints for OpenID (which are 
> identical, except that one is https and the other http -- a perfectly 
> valid use case I'd think).
> 

 From memory, we came up with the following use-cases for multiple 
server endpoints when we were discussing this before:

* Failover in the event that a server goes down
* Expose multiple IDPs so that relying parties can choose which to use 
based on their own internal criteria, such as a blacklist on misbehaving 
IDPs or whether both parties support SSL.

The http vs. https thing is a special case of the latter, I think.

The former was thrown out because there isn't really a reliable way for 
a relying party to tell if a server endpoint is "down". (where "down" 
also includes the case where the relying party can connect to it but the 
user cannot, or where the identity process fails somewhere in the middle 
when it's too late to back out and try another.)

The latter was never actually thrown out, but it was decided that the 
implementation effort of supporting it outweighed the benefit. Much of 
that argument has since been rendered invalid by the fact that OpenID 
implementors must now support Yadis anyway, which is a lot more 
complicated than this ever would have been.

So I suppose there's not really any harm in having it in there for the 
latter use case, especially since I was voting in favour of it in the 
previous discussion on those grounds. It should be made clear in the 
spec that the relying party must select exactly one server endpoint, 
though, to avoid people confusing for with a failover mechanism.

This sits nicely with the "security profiles" under current discussion, 
too, since presumably relying parties are expected to reduce their 
selection to services providing acceptable profiles.




More information about the yadis mailing list