[OpenID] Temporarily redirecting one's identity?

Sam Ruby rubys at intertwingly.net
Thu Jan 4 04:46:44 PST 2007


Oh, dear.  I may have found an edge case.  And documented it in a manner 
that others may follow.

The documentation is here: 
http://www.intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers

The issue is that when somebody requests http://intertwingly.net/blog/ 
and specifies an Accept: application/xrds+xml header on the request, I 
do a temporary 302 redirect to http://intertwingly.net/public/yadis.xrdf

The question is: when the identity validation is done, what should the 
RP view as my identity?  The original URI (.../blog/) or the "temporary" 
one (.../yadis.xrdf)?

LiveJournal (http://www.livejournal.com/openid/) choses the former. 
JanRain (http://www.openidenabled.com/resources/openid-test/checkup) 
choses the latter.

IMO, independent of whether or not I should be doing the redirect, the 
spec should be clear and one or both of these implementations should be 
changed to conform.

My two cents is that the answer should depend on whether it was a 
permanent redirect (301) or a temporary redirect (302) which was employed.

However, if consensus forms on this mailing list, I'll update my 
tutorial accordingly.

- Sam Ruby


More information about the general mailing list