l'essentiel est invisible pour les yeux

Monday, April 14, 2008

OP Identifier and Claimed Identifier, easier OpenID Identifier.

It might be less well know, we can sign in with only OP Identifier(myopenid.com, yahoo.com etc.) into RP respond to OpenID authentication. For example, I have a myOpenID account in Rakuto Furutani. So I can sign in my OpenID URL (aka OP-Local Identifier), but I can also sign in into RP with only a OP's host name.



Why can we sign in with only a OP's host name(aka OP Identifier)?

1. First the OpenID library obtain Yadis Document from OP Identifier, It can emulate with curl script. This specification is part of a Yadis Specification.


% curl -H "Accept: application/xrds+xml" http://www.myopenid.com/

Take a response as XRDS

<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS
xmlns:xrds="xri://$xrds"
xmlns="xri://$xrd*($v*2.0)">
<XRD>

<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/server</Type>
<Type>http://openid.net/sreg/1.0</Type>
<URI priority="0">http://www.myopenid.com/server</URI>
</Service>

</XRD>
</xrds:XRDS>


The OpenID client can obtain OP Endpoint URL, "http://www.myopenid.com/server", and the client is initiate the OpenID Authentication request with obtained OP Endopoint URL. If authentication will be success, take a response(aka Positive Assertion). It includes such as some paramters is as follows:


{"openid.claimed_id"=>"http://rakuto.myopenid.com/",
"openid.mode"=>"id_res",
"openid.return_to"=>"http://localhost:3000/consumer/complete",
"openid.sig"=>"4fAHQGtaUgCjsrMAfue/Qi+k32w=",
"openid.ns"=>"http://specs.openid.net/auth/2.0",
"openid.op_endpoint"=>"http://www.myopenid.com/server",
"openid.response_nonce"=>"2008-04-14T13:27:18ZCEGxaV",
"openid.identity"=>"http://rakuto.myopenid.com/",
"openid.assoc_handle"=>"{HMAC-SHA1}{4e02f931}{EAZGvE==}",
"openid.signed"=>
"assoc_handle,claimed_id,identity,mode,ns,op_endpoint,response_nonce,return_to,signed"}


The client library can obtain Claimed ID from openid.identity, and it can also obtain our XRDS.

<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS
xmlns:xrds="xri://$xrds"
xmlns:openid="http://openid.net/xmlns/1.0"
xmlns="xri://$xrd*($v*2.0)">
<XRD>

<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/signon</Type>
<Type>http://openid.net/sreg/1.0</Type>
<Type>http://openid.net/extensions/sreg/1.1</Type>
<Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type>
<Type>http://openid.net/srv/ax/1.0</Type>
<URI>http://www.myopenid.com/server</URI>
<LocalID>http://rakuto.myopenid.com/</LocalID>
</Service>

<Service priority="1">
<Type>http://openid.net/signon/1.1</Type>
<Type>http://openid.net/sreg/1.0</Type>
<Type>http://openid.net/extensions/sreg/1.1</Type>
<Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type>
<Type>http://openid.net/srv/ax/1.0</Type>
<URI>http://www.myopenid.com/server</URI>
<openid:Delegate>http://rakuto.myopenid.com/</openid:Delegate>
</Service>

<Service priority="2">
<Type>http://openid.net/signon/1.0</Type>
<Type>http://openid.net/sreg/1.0</Type>
<Type>http://openid.net/extensions/sreg/1.1</Type>
<Type>http://schemas.openid.net/pape/policies/2007/06/phishing-resistant</Type>
<Type>http://openid.net/srv/ax/1.0</Type>
<URI>http://www.myopenid.com/server</URI>
<openid:Delegate>http://rakuto.myopenid.com/</openid:Delegate>
</Service>

</XRD>
</xrds:XRDS>



Conclusion
If you use URL as OpenID Identifier, then you don't need to input "http://" and your Claimed Identifier because It's client library's work. Your Claimed Identifier is obtained by RP, so you just have to input your OPs host name.

e.g.) myopenid.com or yahoo.com etc.