So I just started using the PIP service from
Verisign
to handle my
OpenID. It’s a pretty solid OpenID implementation from what I’ve seen and has the
added bonus of supporting two-factor authentication via the token seen
above.

But I was having a problem with delegation, which is where you can enter
your own URL for your identifier (think username) when signing in to an
OpenID-enabled site.

I was told to use this:

[html][/html]

…but that doesn’t work when signing into certain sites, such as the Identity
Gang Wiki. You can sign into it using your full PIP URL, but not using
delegation with the code seen above.

So I talked to the nice folks at Verisign and was put in touch with Gary
Krall. He was most helpful. We determined that my delegation code wasn’t
quite what it needed to be.

He suggested the following, which worked great:

[html] [/html]

That worked for me and should for you as well, but I got curious and decided
to see if I could optimize that at all. As it turns out,
the OpenID 2.0 Spec located here
allowed me to trim down the required code significantly:

[html][/html]

This also works and has the added benefit of the first two lines coming from
the official spec. Plus, it’s only three lines total. The third line might still be a bit of
an imperfect hack, but I couldn’t get it to work using the official
recommendation.

Anyway, that last snippet should get you working with delegation and
Verisign PIP with the least amount of the most compliant code possible. That
is, at least until I figure out how to do the XRDS bit properly according to
the 2.0 spec.

[
Edit: Please note that some sites like LiveJournal still use the 1.0
specification and will fail with the trimmed down version. I re-added the
1.0 bits and the code below is the final version I have running.
]

May 23, 2025