On Mon, Mar 22, 2010 at 11:52 AM, Paul E. Jones <[email protected]>wrote:
> John, > > I'd assume RPs will know how to do webfinger, but I don't think we need to > tightly bind the OpenID and webfinger specs. It seems that decoupling the forms of identifiers from the OpenID spec in v.Next would be a good thing, paving the way for making XRI an optional identifier format (given that several libraries and implementations don't support that format as it is). Still, from a user perspective, having clarity on what kind of identifier they should type into the box (presuming we give them a text field) is extremely important, as is consistency in the user experience from site to site. That is, if I can use an email-style identifier on one site, but not another (even if both advertise support for "OpenID") I'm going to be pissed (or at best, confused). So — we'd need to find the right balance of extracting the identifier formats from the mainline spec, but doing the work to encourage developers to support the most common identifiers (i.e. URLs and email-style identifiers). > > Can we assume that if a user enters [email protected] that the RP > might > formulate an acct: URI type and then perform a query for > acct:[email protected] <acct%[email protected]>? I think that's > a reasonable assumption, since > that's likely going to be the natural way people would expect it to work. > That seems reasonable, but writing up the proper transformation algorithm would be the job of WebFinger, I'd imagine. > > The real question is: what should it be looking for in the XRD document > returned for an acct: URI? > > What I'm suggesting is this: > > <Link rel='http://openid.net/identity' > href='http://openid.packetizer.com/paulej'/> > > What Google is presently returning is this: > > <Link rel='http://specs.openid.net/auth/2.0/provider' > href='http://openid.packetizer.com/paulej'/> > > I suppose it's six of one or half a dozen of another. However, the latter > seems to suggest it's not the user's identity URL, but rather a pointer to > the provider. But, I think the intent is return the user's OpenID ID in > that href, right? > > So, what value should we use for the link relation? > Not necessarily. In fact, I could enter [email protected] but authenticate as [email protected], with my provider returning http://provider.com/bill as my claimed ID. Furthermore, SREG or Attribute Exchange might come back with [email protected] as my email address, or something entirely different from what I entered on the RP. Therefore, what the user types into the box really is only a hint as to where one's provider exists on the web, and may not be the correct identifier itself. This is even more true in the case of delegation, though I don't know how that might be properly handled with the use of WebFinger/acct: URIs. Chris > -----Original Message----- > > From: John Panzer [mailto:[email protected]] > > Sent: Monday, March 22, 2010 2:28 PM > > To: Paul E. Jones > > Cc: Dirk Balfanz; [email protected] > > Subject: Re: WebFinger at Google > > > > Assuming you want to use the ID the user entered, I think openid rps > > would need to know about acct: at least. > > > > On Monday, March 22, 2010, Paul E. Jones <[email protected]> wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Dirk, > > > > > > > > > > > > Thanks for the clarification. I now understand the reasoning. > > > > > > > > > > > > I would not want to require the OpenID spec to handle acct: URI > > > types, per se, but it would be nice if the OpenID RPs would pre- > > process whatever > > > the user enters and use webfinger to determine the OpenID ID if > > whatever is > > > entered looks like an email address. Do we need to change the OpenID > > spec > > > to make that happen? I think these steps could be independent. > > > > > > > > > > > > You’ve certainly made a valid point for why this ought not > > > be the “signon” URI. But, is “provider” the right > > > word? What I really want is to simply map the thing that looks like > > an > > > email address into the OpenID ID. > > > > > > > > > > > > How about this: http://openid.net/identity > > > > > > > > > > > > This would refer to the “claimed ID” (if that’s > > > not too confusing with openid.identity). > > > > > > > > > > > > I removed all of the version information, since I assume my > > > OpenID ID would never change from one version of OpenID to another. > > If it > > > did, users would have never-ending frustration with identifiers. So, > > I > > > think we can assume this will be fixed. > > > > > > > > > > > > So, the XRD document might contain: > > > > > > > > > > > > <Link rel='http://openid.net/identity' > > href='http://openid.packetizer.com/paulej' > > > /> > > > > > > > > > > > > I think this is basically the same thing as using “provider”, > > > but I think it is clearer that it’s not the OpenID provider / server > > / > > > whatever, but merely the user’s OpenID ID. Once this transformation > > > is made, then the normal OpenID RP procedures would be followed to > > find the OP > > > Endpoint URL, as you explained below. > > > > > > > > > > > > In any case, I guess it does not make a lot of difference > > > whether we use: > > > > > > http://openid.net/identity > > > > > > or > > > > > > http://specs.openid.net/auth/2.0/provider > > > > > > > > > > > > But, given this ought to be a constant mapping (acct: URIs to > > > OpenID identity URIs), I prefer the former. > > > > > > > > > > > > Whatever the case, how can we settle on this and set it on stone? > > > I think getting agreement quickly is more important than the > > particular value. > > > > > > > > > > > > Paul > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Dirk Balfanz > > > [mailto:[email protected]] > > > Sent: Monday, March 22, 2010 12:02 PM > > > To: Paul E. Jones > > > Cc: [email protected] > > > Subject: Re: WebFinger at Google > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, Mar 19, 2010 at 10:17 AM, Paul E. Jones > > <[email protected]> wrote: > > > > > > > > > > > > > > > > > > Folks, > > > > > > > > > > > > Google > > > appears to have Webfinger enabled on some accounts, at least. You > > can see > > > it with this: > > > > > > curl > > > http://gmail.com/.well-known/host-meta > > > > > > > > > > > > That > > > returns this: > > > > > > > > > > > > <?xml version='1.0' > > > encoding='UTF-8'?> > > > > > > <!-- NOTE: this host-meta > > > end-point is a pre-alpha work in progress. Don't rely on it. --> > > > > > > <!-- Please follow the > > > list at http://groups.google.com/group/webfinger > > > --> > > > > > > <XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0' > > > > > > > > > > > > xmlns:hm='http://host-meta.net/xrd/1.0'> > > > > > > <hm:Host xmlns='http://host-meta.net/xrd/1.0'>gmail.com</hm:Host> > > > > > > <Link rel='lrdd' > > > > > > > > > template='http://www.google.com/s2/webfinger/?q={uri}'> > > > > > > > > > <Title>Resource Descriptor</Title> > > > > > > </Link> > > > > > > </XRD> > > > > > > > > > > > > Now, > > > querying the LRDD URL like this: > > > > > > curl > > > http://www.google.com/s2/webfinger/?q=acct:<user>@gmail.com > > > > > > > > > > > > will > > > return an XRD document, one of whose members is this: > > > > > > <Link > > > rel='http://specs.openid.net/auth/2.0/provider' > > > href='http://www.google.com/profiles/<user>'/> > > > > > > > > > > > > The > > > href value might vary, but that’s what it returned for my account. > > > What concerns me is the link relation value: > > http://specs.openid.net/auth/2.0/provider > > > > > > > > > > > > Where > > > did that come from? The 2.0 spec defined two possible values: > > > > > > http://specs.openid.net/auth/2.0/server > > > > > > http://specs.openid.net/auth/2.0/signon > > > > > > > > > > > > However, > > > I cannot find the one Google is using defined anywhere, though I did > > see it > > > referenced here: > > > > > > > > http://code.google.com/p/webfinger/source/browse/wiki/CommonLinkRelatio > > ns.wiki?spec=svn22&r=22 > > > > > > > > > > > > Is > > > this an error? If not, can somebody point me to the correct > > > documentation? > > > > > > > > > > > > If > > > it is an error, what should the value be? > > > > > > > > > > > > I > > > had assumed that the most logical choice was > > <http://specs.openid.net/auth/2.0/signon> > > > > > > > > > > > > > > > > > > > > > > > > > -- > > -- > > John Panzer / Google > > [email protected] / abstractioneer.org / @jpanzer > > > > > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs > -- Chris Messina Open Web Advocate, Google Personal: http://factoryjoe.com Follow me on Buzz: http://buzz.google.com/chrismessina ...or Twitter: http://twitter.com/chrismessina This email is: [ ] shareable [X] ask first [ ] private
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
