Hey Craig, On Fri, Mar 26, 2010 at 9:33 PM, Craig Andrews <[email protected]> wrote: > I'm trying to write the code to make the OpenID server automatically > delegate to another OpenID configured by the user.
Neat! > According to the spec at > http://openid.net/specs/openid-authentication-1_1.html#delegating_authentication > I need to know "openid.server" and "openid.delegate" - how do I get those > 2 values from an OpenID? openid2.provider and openid2.local_id respectively. > I could discover these values when the user enters their OpenID, and save > them to the database. But what if the OpenID pointed to has a change? For > example, what if the user enters an OpenID that delegates to somewhere > else, and then the delegation configuration changes? (For example, the > user enters "http://candrews.integralblue.com"; as their OpenID, which > delegates to "http://candrews.myopenid.com"; then later, the user decides > that "http://candrews.integralblue.com"; should delegate to > "http://sf.net/candrews"; instead). > > So storing "openid.server" and "openid.delegate" to the database doesn't > seem to work. We could discover these values when the page is rendered, > but that means each hit to a profile page results in at least one HTTP > request to the OpenID specified by the profile page's owner, and if that > OpenID delegates to some place else, that's an additional HTTP request. > This option seems too expensive. We could use memcache to mitigate the > hits, but it still seems to be too much. > > So, in a nutshell, I don't know how to implement OpenID delegation. Help? As a bit of a purist, delegation is explicitly supposed to be user choice, so automagically determining who to delegate to (or if the user wants to delegate at all) seems like a bad idea to me. For instance, I might use http://walkah.net/ to log in to http://james.status.net/ ... but actually want to use james.status.net as the authority for my status.net related logins. If you're automagically delegating that to walkah.net, that's not what I've chosen. One option would be to have an option under the associated openid's that says "delegate to this identity" at which point you could do discovery to grab the right information. I'd also recommend populating the XRDS file - as that's actually looked at first in Yadis. How's that sound? -- James Walker :: http://walkah.net/ _______________________________________________ StatusNet-dev mailing list [email protected] http://lists.status.net/mailman/listinfo/statusnet-dev
