[OpenID] Proposal: SMTP service extension for Yadis discovery
mart at degeneration.co.uk
Thu Feb 15 18:24:09 UTC 2007
Claus Färber wrote:
> Stephen Paul Weber <singpolyma at gmail.com> schrieb/wrote:
>> On 08 Feb 2007 16:38:00 +0100, Claus Färber <claus at faerber.muc.de> wrote:
>>> It does not work as intended. In http://email@example.com/, "user" is
>>> an identity suggested to access http://example.com/. A RP could not
>>> retrieve different information depending on the "user" part wihtout
>>> knowing the password for each user (which it is supposed not to
>> How so? The user part is transferred in the HTAUTH headers which the
>> script can easily read...
> What's a HTAUTH?
> Seriously, there's no such header. If you mean the Authorization header
> field, this one's only sent when the user (or URL) has provided a
> username _and_ password.
The proposal, or at least the variation on it we discussed a couple
months back, was that the OpenID specification would say that when given
a URL in the form http://firstname.lastname@example.org/ the RP must make a request to
domain.com with an Authorization header for Basic auth, with the
credentials set to be base64(user:). The colon at the end is the
delimiter between the username and an empty password.
However, the spec could also require a different process altogether,
since standard HTTP auth isn't very useful on an identity URL. To pluck
an idea out of the air, the spec could require that URLs in the form
http://email@example.com/ result in requests to domain.com with an extra
header field "X-User: user". For extra robustness, the identity URL
could be required to return "Vary: X-User" in the response to indicate
that it is indeed processing this header.
More information about the general