Hello. I think I found a specification bug in the OpenID Authentication 2.0 - Final.
The section 7.2. Normalization, > The end user's input MUST be normalized into an Identifier, as follows: > > [...] This final URL MUST be noted by the Relying Party as the Claimed > Identifier and be used when requesting authentication. I.e. this section states that the value entered by the end user into the "openid_identifier" filed of the login form (after normalization) is the Claimed Identifier. But it is incorrect. According to the section 2. Terminology, the Claimed Identifier is a normalization either of the value entered into the login form _or_ the value user selects with help of the OpenID Privider web UI later (in case if the user entered an OP Identifier into the login form instead of his own Identifier). The section 7.3.1. Discovered Information also confirms, that in case an OP Identifier was entered by user into the login form, the Claimed Identifier is unknown at this stage. For example Google recommends to perform discovery in this way. During the Initiation and Discovery phases an OP Identifier https://www.google.com/accounts/o8/id should be used for any account. And only after successful authentication the Claimed Identifier will be returned in the response from OP. Fixing this bug IMO will improve the spec quality. Because the current state is sufficiently misguiding that the OpenID library I am working with unconditionally stores the value entered by the user as the Claimed Identifier and uses it as such in the later stages. (And therefore this library should be fixed). Best regards, - Anton _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
