Phillip B Oldham <[EMAIL PROTECTED]> writes: > I think maybe there's some misunderstanding. The protocol isn't the > issue; I'm happy to use whatever (HTTP, LDAP, SOAP, XMPP, etc). The > issue is that OpenID, by its name, is open. We don't want to allow > anyone with an openid account to register with our webapps
Then don't do that. The OpenID protocol says nothing whatsoever about *which* OpenIDs your service will accept. > we simply want to centralise registration and sign-on for our > employees. Then you should reject any attempt to authenticate with an OpenID that you don't accept. This could be done by, as one possible example, only accepting OpenIDs of the form ‘http://example.com/openid/username’ (or whatever URL path you deem useful), and ensuring that you control the OpenID provider that serves those OpenIDs. -- \ “He who allows oppression, shares the crime.” —Erasmus Darwin, | `\ grandfather of Charles Darwin | _o__) | Ben Finney -- http://mail.python.org/mailman/listinfo/python-list
