So I just started using the PIP service from Verisign to handle my OpenID. It’s a pretty solid OpenID implementation from what I’ve seen and has the added bonus of supporting two-factor authentication via the token seen above.
But I was having a problem with delegation, which is where you can enter your own URL for your identifier (think username) when signing in to an OpenID-enabled site.
I was told to use this:
…but that doesn’t work when signing into certain sites, such as the Identity Gang Wiki. You can sign into it using your full PIP URL, but not using delegation with the code seen above.
So I talked to the nice folks at Verisign and was put in touch with Gary Krall. He was most helpful. We determined that my delegation code wasn’t quite what it needed to be.
He suggested the following, which worked great:
That worked for me and should for you as well, but I got curious and decided to see if I could optimize that at all. As it turns out, the OpenID 2.0 Spec located here allowed me to trim down the required code significantly:
This also works and has the added benefit of the first two lines coming from the official spec. Plus, it’s only three lines total. The third line might still be a bit of an imperfect hack, but I couldn’t get it to work using the official recommendation.
Anyway, that last snippet should get you working with delegation and Verisign PIP with the least amount of the most compliant code possible. That is, at least until I figure out how to do the XRDS bit properly according to the 2.0 spec.
[ Edit: Please note that some sites like LiveJournal still use the 1.0 specification and will fail with the trimmed down version. I re-added the 1.0 bits and the code below is the final version I have running. ]