Identifier_select response
Kevin Turner
kevin at janrain.com
Wed Feb 6 12:15:34 PST 2008
On Wed, 2008-02-06 at 21:12 +0200, Eddy Nigg (StartCom Ltd.) wrote:
> > The claimed_id will be what the RP does discovery on and what it knows
> > the user by. "identity" needs to match whatever the RP will get when it
> > discovers the local_id for the claimed_id.
> >
> OK, now, could you make a practical, real example for this? Sorry for
> being slow, but apparently I'm missing something here...and thanks for
> your reply!
e.g.
if (req->idSelect()) {
# If we need to do identity selection, log me in as
kevin.janrain.com,
# which delegates to the keturn.myopenid.com account.
claimed_id = "http://kevin.janrain.com/"
identity = "https://keturn.myopenid.com/"
req->answer(True, server_url, identity, claimed_id)
}
> I wonder how the local id can be know to the OP during discovery since
> all the RP sends is a get request of the xrds file. There is no
> session which could support this call...I'm really puzzled how this
> should work. Anyone?
When using the OP-driven identifier selection flow, the RP needs to make
at least two discovery requests. The first discovers the OP and
endpoint, as marked by Type Auth_OpenID_TYPE_2_0_IDP. Then, after you
do the redirect and receive the assertion in the id_res message, the RP
does discovery on the claimed identifier, marked by Type
Auth_OpenID_TYPE_2_0, to make sure that the OP endpoint it received the
assertion from is actually authoritative for that claimed identifier.
Since that second request is for the claimed identifier, that's how you
identify it, rather than by session.
More information about the Dev
mailing list