This blog can't be viewed on LiveJournal. Instead see http://www.apparently.me.uk/18572.html.

  • (comment with no subject)

    Hi Martin,

    To clarify the behaviour of the Microsoft OP, we actually do not ignore openid.identity at all.

    We see 2 scenarios here:

    1. If the coming openid.identity is http://specs.openid.net/auth/2.0/identifier_select, then we let user choose which OpenID Alias they want to use to sign-in and return back to the RP.

    2. If the incoming openid.identity is something else, we pre-fill and block the OpenID Alias in login screen from being changed. Naturally, we also provide a Cancel option for users to go to RP to change their claimed identity.

    So if the user entering a specific URI / alias at the RP, they can either sign-in to our OP and prove they own that Alias, or they must cancel if they can't / don't.

    We think we are doing the right thing here, but we welcome feedback and discussion from the community.

    Hope that helps to clarify the situation.

    - Jorgen Thelin
    By ext_130600 at 09:40 pm on 28th Oct 2008
    • (comment with no subject)

      Hi Jorgen,

      I think I was mistaken about the Windows Live ID OP. I must confess that I only experimented with it briefly and I may have made an error when I was testing.

      I notice that the directed identity endpoint http://openid.live-int.com/ declares openid2.provider in its HTML, which is not supposed to be declared for a directed identity endpoint. The endpoint is, however, using the Accept header to trigger sending back an XRDS document with the correct information in it, so I think perhaps this was the source of my confusion. Having tried it again now I see that it does work as expected.

      I apologise for posting misleading information. It may be worth considering removing the element from the HTML produced at that endpoint when no Accept header is sent; while no compliant OpenID 2.0 RP should see it, it is a little confusing to humans like me.

      (As a side note, I assume by the fact that you've managed to comment with your live-int.com identifer that LiveJournal has upgraded their RP to support OpenID 2.0, which is good news. My blog only supporting 1.1 was a bit embarassing. ;))

      By Martin Atkins at 09:55 pm on 28th Oct 2008
    • test

      test
      By ext_130748 at 07:44 pm on 29th Oct 2008