[OpenID] Temporarily redirecting one's identity?
Sam Ruby
rubys at intertwingly.net
Thu Jan 4 12:46:44 UTC 2007
Oh, dear. I may have found an edge case. And documented it in a manner
that others may follow.
The documentation is here:
http://www.intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers
The issue is that when somebody requests http://intertwingly.net/blog/
and specifies an Accept: application/xrds+xml header on the request, I
do a temporary 302 redirect to http://intertwingly.net/public/yadis.xrdf
The question is: when the identity validation is done, what should the
RP view as my identity? The original URI (.../blog/) or the "temporary"
one (.../yadis.xrdf)?
LiveJournal (http://www.livejournal.com/openid/) choses the former.
JanRain (http://www.openidenabled.com/resources/openid-test/checkup)
choses the latter.
IMO, independent of whether or not I should be doing the redirect, the
spec should be clear and one or both of these implementations should be
changed to conform.
My two cents is that the answer should depend on whether it was a
permanent redirect (301) or a temporary redirect (302) which was employed.
However, if consensus forms on this mailing list, I'll update my
tutorial accordingly.
- Sam Ruby
More information about the general
mailing list