Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why we need Discovery URL in OpenID

Tags:

openid

Like https://www.google.com/accounts/o8/id and https://me.yahoo.com they send me the end point (https://www.google.com/accounts/o8/ud for google and https://open.login.yahooapis.com/openid/op/auth for yahoo) So my question is can I skip this I just use the endpoint?

like image 864
nvcnvn Avatar asked May 20 '11 15:05

nvcnvn


People also ask

What is OpenID discovery?

Also referred to as the "well-known endpoint," the discovery document is a set of OpenID Connect values that can be retrieved by OIDC clients; it's the discovery document that enables OIDC clients to configure themselves in order to be able to access your implementation of Hosted Login.

What is a discovery URL?

A Discovery URL is a URL adorned with a use type string. A Discovery URL can point to a "homepage" for the business, an XSD Schema that describes the business, or to another type of file describing the business or its services.

What is OpenID Connect URL?

OpenID Connect defines a discovery mechanism, called OpenID Connect Discovery, where an OpenID server publishes its metadata at a well-known URL, typically. https://server.com/.well-known/openid-configuration.

What is a discovery endpoint?

Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system. Other code can interrogate that directory to find the specific URLs for accessing various resources.

Why do we need OpenID Connect?

OpenID Connect lets developers authenticate their users across websites and apps without having to own and manage password files. For the app builder, it provides a secure verifiable, answer to the question: “What is the identity of the person currently using the browser or native app that is connected to me?”

What is a well known configuration URL?

Well known Configuration URL: The URL that contains metadata about the third-party OIDC identity provider. July 29 at 6:08 PM. Selected Answer. 1.


1 Answers

For the initiation and discovery phase of the OpenID protocol, a user may pass either a URI or an XRI. If a URI is given then the YADIS protocol must be followed to find the service endpoint.

If the URL given is different to the endpoint then the URL becomes the 'claimed identifier' and the OpenID provider can also provide an 'OP local identifier'. A user does not need to specify an endpoint url when initiating the protocol. Therefore this step should not be skipped.

As part of the discovery phase, various OpenID extensions may also be discovered which may be helpful to your application.

The OpenID protocol is documented pretty well.

However, there is no reason why you can't cache the results of the discovery. Whilst you could write code to skip the discovery phase if the Yahoo! or Google endpoint URL is given, a cache is a more generalised solution that will not break if the extensions available are altered.

like image 93
bearvrrr Avatar answered Jan 03 '23 13:01

bearvrrr