[OpenID] OpenId & Yadis Question
Martin Atkins
mart at degeneration.co.uk
Mon Feb 26 07:40:28 UTC 2007
David Fuelling wrote:
> I'm wondering if the following is a correct interpretation of how OpenId 2.0
> uses Yadis. Any clarifications are appreciated.
>
> 1.) User navigates to an RP, and enters a Claimed Identifier (e.g.,
> http://sappenin.gmail.com).
>
> 2.) A Yadis doc is returned as follows:
>
> <Service xmlns="xri://$xrd*($v*2.0)">
> <Type>http://specs.openid.net/auth/2.0/server</Type>
> <URI>https://sappenin.com/</URI> </Service>
> </Service>
>
>
> Specifically:
>
> A.) Is this the proper way to do delegation? Above, gmail.com is delegating
> to sappenin.com.
What you've given above isn't delegation, because no delegate identifier
is given. I guess you wanted https://sappenin.com/ to be your
identifier, in which case it would go in the <LocalID> element, with
your provider's endpoint URL in <URI>.
Also, the Type here should be http://specs.openid.net/auth/2.0/signon.
You can also do it with LINK elements in an HTML document, as with
OpenID 1 (though the "rel" values have changed a little).
> B.) If a client gets the Yadis doc above (after navigating to gmail.com),
> MUST they (or SHOULD they) navigate to sappenin.com and try to perform
> discovery again? If so, how many delegates are allowed? Not specified?
>
Delegation isn't recursive. When given the above (corrected, of course),
the site will try to verify https://sappenin.com/ against the given
server immediately. Discovery is never performed on the LocalID in this
case. This means that the nominated provider *must* be able to recognise
the LocalID given.
More information about the yadis
mailing list