[OpenID] Proposal: SMTP service extension for Yadis discovery

Martin Atkins mart at degeneration.co.uk
Thu Feb 15 18:24:09 UTC 2007

Claus Färber wrote:
> Stephen Paul Weber <singpolyma at gmail.com> schrieb/wrote:
>> On 08 Feb 2007 16:38:00 +0100, Claus Färber <claus at faerber.muc.de> wrote:
>>> It does not work as intended. In http://user@example.com/, "user" is
>>> an identity suggested to access http://example.com/. A RP could not
>>> retrieve different information depending on the "user" part wihtout
>>> knowing the password for each user (which it is supposed not to
>>> know).
>> How so?  The user part is transferred in the HTAUTH headers which the
>> script can easily read...
> What's a HTAUTH?
> Seriously, there's no such header. If you mean the Authorization header
> field, this one's only sent when the user (or URL) has provided a
> username _and_ password.

The proposal, or at least the variation on it we discussed a couple 
months back, was that the OpenID specification would say that when given 
a URL in the form http://user@domain.com/ the RP must make a request to 
domain.com with an Authorization header for Basic auth, with the 
credentials set to be base64(user:). The colon at the end is the 
delimiter between the username and an empty password.

However, the spec could also require a different process altogether, 
since standard HTTP auth isn't very useful on an identity URL. To pluck 
an idea out of the air, the spec could require that URLs in the form 
http://user@domain.com/ result in requests to domain.com with an extra 
header field "X-User: user". For extra robustness, the identity URL 
could be required to return "Vary: X-User" in the response to indicate 
that it is indeed processing this header.

More information about the general mailing list