Technometria

Home
Why Technometria?
RSS
Atom
Podcast Feed
Add to Google

Recommend This Site

About Phil

Brief Bio
Contact Info
Phil on Twitter
Speaking
InfoWorld
Photo Albums
Video Favorites
CTO Breakfast

Essays

2006
2005
2004
2003
CIO White Papers

Software

Packages

Topic Guides

Understanding RSS
Digital ID Policies
Understanding VoIP
Internet Application Performance
Setting Up a Linux Server
Public Service Tips

Categories

Blog TagCloud

Archives

September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002

Utah Tech Organizations

BYU Unix User's Group
Provo Linux User's Group
Utah Valley Linux User's Group
Ubuntu Utah
Salt Lake LUG
USU Free Software and Linux Club
Greater Utah BSD User Group
Utah PHP Users Group
Utah Python User Group
Utah Ruby Users Group
Ogden Area LUG
Southern Utah Unix Users Group
UtahSAINT

Copyright

Copyright © 2002-2006 PJW LC. Some rights reserved. Technometria is a trademark of PJW LC in the United States and other countries.

« Facebook As Platform | Main | New Features on Utah.gov »

Using XRDS

Back when people were trying to bring OpenID, LID, and i-names together, something called Yadis was born. At the time, it was all pretty abstract to me, but over time I’ve come to understand more of the details. Yadis was a discovery protocol for identifiers that was based on XRDS, or eXtensible Resource DescriptorS.

The basic idea was that when you resolved an identifier, you’d get back an XRDS document that would tell you which authentication service the identifier was associated with. I’ll talk about the details of how this happens in a minute. First, let’s talk about why and what.

One of the things an XRDS document can contain is a pointer to an authentication service. IN fact, that’s the most common usage pattern at present. So, when you enter an i-name or a URL into an application that understands Yadis, it will retrieve the XRDS document, look for an authentication service type and endpoint and then use that authentication service. So, the same URL could be an OpenID or a LID identifier depending on what the XRDS document contains that is at that URL.

Yadis has been folded into OpenID 2.0, so from now on, I’ll not mention Yadis specifically—any OpenID 2.0 relying party or identity provider will understand XRDS.

XRDS documents are just XML. So, they’re mostly human readabe and editable. But, like most complicated XML, you can get confused pretty fast. The XRI resolution specification is the document that describes how XRDS works. An XRDS document is a collection of services. For example, here’s the OpenID service descriptor on my i-name: 

<xrd:Service>

    <xrd:Type xrd:select='true'>
      http://openid.net/signon/1.0
    </xrd:Type>

    <xrd:URI xrd:priority='1' xrd:append='qxri'>
      https://2idi.com/openid/
    </xrd:URI>

    <xrd:URI xrd:priority='2' xrd:append='qxri'>
      http://2idi.com/openid/
    </xrd:URI>

</xrd:Service>

This says that if I enter my i-name (=windley) at a place that understands OpenID 2.0, that I want to use 2idi’s OpenID identity provider as my authentication service. If I changed this XRDS document, I could use MyOpenID.com or any other authentication service transparently to the relying party.

XRDS is more than just a way of pointing to authentication services, however. Andy Dale left a comment about XRDS in response to my post on Sun’s support of OpenID and their linking it to employment. He points out that XRDS could be used, in this case, to point to an attribute exchange service that would have attributes giving employment status or even a more general reputation service. He points out that:

The trick is having OpenID providers expose the XRDS to end users in a way that is useful to them. By that I mean a) They have the ability to ‘change’ their own XRDS. b) Providers support an automatic provisioning protocol so that end users can easily adopt new services without having to craft XML and manually edit their XRDS.

He expanded on his comment in blog post on using XRDS and then expanded on that in a follow up. He points out, that a user had their Flickr feed listed as a http://photo.feed/1.0 type service in their XRDS wouldn’t have to tell applications that need that info anything about it—just entering their identifier would allow another application to find out which service providers that person used.

So, how do you return an XRDS document from an identifier? The simplest way is to sign up for an OpenID or an i-name and let the identity provider do it for you. The problem is that most IdPs don’t currently allow you to change the contents of your XRDS doc easily. 2idi, the i-name broker I use does. So, as long as I’m happy just using my i-name, that works.

If I want to return an XRDS document that I control from a URL I’m using as an identifier, I probably need to serve it up myself. If you’re running your own Web server, that’s not to hard. This write up by Josh Hoyt shows how to configure a URL that returns an XRDS document using Apache and some modules (no code).

The basic idea is that I want a URL, say http://phil.windley.org to return it’s normal content (from index.shtml in my case) for anything that’s not asking for xml+xrds content. That can be accomplished using mod_negotiation to do content negotiation, mod_headers to add the right headers to the response, and mod_rewrite to redirect to the appropriate location (the XRDS doc or the index.shtml document.

This gives you a way of configuring XRDS-style services on whatever URL you want to use as an identifier. You still need to edit the XML by hand, but at least you can.

As an aside, it strikes me that you could use this same trick to put a WADL discovery document for a RESTful API at the API URL and return it when the request specifically set the content type to xml+wadl. A nice way of overloading the URL so that it’s the service endpoint and the discovery endpoint all at the same time. Of course, some are bound to object that this isn’t very RESTful.

So, that’s basically everything I know about XRDS. I plan to XRDS enable on of my identifying URLs and play with it some more. I’ll let you know how the experiment goes.

Posted by windley on May 31, 2007 11:26 AM

See related posts:

 Share this article on Facebook
 Email this article to a friend
  Post this article to del.icio.us
 Format this article for printing
 Get the SNUrlfor this page

6 Comments

Comment from Bryant Cutler at May 31, 2007 1:16 PM

I would just add that in addition to pointing to a service endpoint, URIs can be included that describe the optional features supported by the identity provider (like SimpleRegistration and SimplePermissions) as well as which version of the OpenID protocol the IdP supports.

Comment from josephcp at May 31, 2007 9:39 PM

I think it'd be amazing when people fully take advantage of XRDS and those XRDS services begin interacting with each other. It'd be like "Add/Remove Programs" for the web.

RE: Your recent Flickr idea:
I've got a half-working app of that idea on http://openidr.mekov.com/
(it currently doesn't consume XRDS-Flickr data, but it does consume a contactlist defined in XRDS).

Comment from Michael Yang at May 31, 2007 11:06 PM

josephcp, is your site working properly now? I tried many times and kept getting errors, even I accessed your i-name =jcp

"User =jcp does not have a friends service linked to their identity."

Comment from josephcp at June 1, 2007 12:32 AM

I don't have that account linked to this service (I'm using another identity for testing).

The reason you can't view it is because you're not on my contactlist, and so you won't be able to view my private pictures. If you (or anyone else for that matter) want to, fire me an email http://xri.net/=jcp and then I'll add you to my contacts so you can view my friendsonly flickr pictures (and then try accessing it on another OpenID -- it will not work). Anyone NOT on my contactlist will not be able to access the pictures associated with my identity. It's less a flickr demo than a contacts demo. The idea is that with a single namespace(your uri), you can build associations with other people and that implies that you trust them to have greater access to information. And this access control list should be portable on any website you use, as many sites have social-networking components builtin.

In fact, I haven't even written the part that will consume Pictures XRDS data yet -- it only consumes contactlist data. However, the fundamental idea of XRDS-as-a-service is still there. It will consume your Jyte-contacts as a part of your identity if the service URI is in the XRDS file.

P.S. I guess it was Andy Dale that made that comment about Flickr originally? Apologies, I only quickly scan my RSS items ;-)

Comment from =Andy at June 4, 2007 1:10 PM

Great post Phil. I am still trying to wrangle my own brain into a clear enough understanding of the uses and abuses of XRDS so I can communicate them clearly. I have continued the brain dump on my blog… I think I’m starting to clarify the most important fact… SEPs in XRDS must be considered self asserted claims and must therefore be validated via external mechanisms and not simply trusted.

Comment from Richard Conlan at October 7, 2007 12:42 PM

Sorry if this is silly as I am not to XRDS, but where in your XRDS file does it specify OpenID 2.0? All I see is a 1.0 in there?

Leave a comment

I encourage you to leave a comment below. Your email address will not be displayed on Technometria, but allows me to communicate with you directly. Your email address won't be displayed, but will be used to compute a MicroID for your comment.