Why is the OpenID in LRDD typed as "http://specs.openid.net/auth/2.0/provider"?
Christian Weiske
Google uses "http://specs.openid.net/auth/2.0/provider" to indicate the
OpenID of a user. Why is "provider" used here? It isn't the Identity
Provider URL, but the OpenID itself!
There once was a discussion about that on openid-specs, but no real
result - apart from the suggestion to better use
"http://openid.net/identity" as type:
http://lists.openid.net/pipermail/openid-specs/2010-March/006567.html
--
Regards/Mit freundlichen Grüßen
Christian Weiske
-=≡ Geeking around in the name of science since 1982 ≡=-
Paul E. Jones
There is a lot of inconsistency with respect to OpenID support via Webfinger. Do we advertise the OpenID provider URL in host-meta or LRDD? I think both are valid.
Do we refer to the user's OpenID page or to the OpenID provider (i.e.., login)?
What I did (and I'll not argue it's right) is advertise via the LRDD document the following:
<Link rel="http://specs.openid.net/auth/2.0/provider"
href="https://openid.packetizer.com/paulej"/>
If you then query the href, then you'll see:
<link rel="openid2.provider" href="https://openid.packetizer.com/login/"/>
I honestly do not care how we advertise OpenID, but I wish we would all do it consistently so that I can visit a site, enter my email ID, and my identity provider URL can be discovered.
There is a reason I advertise the values the way I do. If I visit a web site and enter my email address, I want the site to query for the above value. I could have it query and return this in the LRDD:
<Link rel="http://specs.openid.net/auth/2.0/provider"
href=" https://openid.packetizer.com/login/"/>
However, this does not provide any information to the site I am visiting what my OpenID ID is. It needs to have that information. Webfinger isn't getting rid of the OpenID URIs that identify us. It is just a means of avoiding the need to remember what it is or type in a (sometimes long) URL.
Paul
Christian Weiske
> There is a lot of inconsistency with respect to OpenID support via
> Webfinger. Do we advertise the OpenID provider URL in host-meta or
> LRDD? I think both are valid.
I'd think that, too.
> Do we refer to the user's OpenID page or to the OpenID provider
> (i.e.., login)?
Specifying the OpenID is of course only possible in LRDD, since
it's user-specific.
> What I did (and I'll not argue it's right) is advertise via the LRDD
> document the following:
>
> <Link rel="http://specs.openid.net/auth/2.0/provider"
> href="https://openid.packetizer.com/paulej"/>
That's what I do, too - but it says
"http://specs.openid.net/auth/2.0/provider", which indicates the
provider, not the OpenID itself.
This is my problem. It should be clear if the given URL is an OpenID,
or an OpenID provider URL. Currently, OpenIDs are given, but titled
"provider".
Paul E. Jones
> > What I did (and I'll not argue it's right) is advertise via the LRDD
> > document the following:
> >
> > <Link rel="http://specs.openid.net/auth/2.0/provider"
> > href="https://openid.packetizer.com/paulej"/>
> That's what I do, too - but it says
> "http://specs.openid.net/auth/2.0/provider", which indicates the
> provider, not the OpenID itself.
>
> This is my problem. It should be clear if the given URL is an OpenID, or
> an OpenID provider URL. Currently, OpenIDs are given, but titled
> "provider".
And Yahoo! advertises it inside the host-meta file like this:
<Link rel='http://specs.openid.net/auth/2.0/provider'
href='https://open.login.yahooapis.com/openid/op/auth'>
<Title>OpenID 2.0 Provider</Title>
</Link>
This does not convey to the visited site what one's OpenID ID is, unfortunately. I think having this here is perfectly fine if there was another link relation type in the LRDD file that indicated the OpenID identity. I'm not sure if one is generally used, but there is certainly nothing written in a spec anywhere that I've seen.
Paul