Maybe I'm misunderstanding what you're looking at here, but surely
anything that the RP can "see" to determine whether you're on a mobile
device can also be seen by the OP? They're both just websites, after
The scenario is that I have a preferred OP on the PC-class device that
I like because, say, it has a hardware device attached to it for
Now I'd like to log on, with the same identifier, from my iPhone that
does not have the same hardware device attached: I will be redirected
to the OP that then cannot authenticate me.
It would be better to say "I'd like OP1, but only for PCs, and OP2 for
iPhones, ..." all somehow expressed in the XRDS file so the RP could
do the redirect to the right OP based on which device I'm using, all
while using the same identifier.
Of course, an OP that supports all devices and all the right
authentication techniques appropriate for each device would be better.
But that's a hard thing to do given how many possible combinations