[OpenID] Temporarily redirecting one's identity?

Johnny Bufu johnny at sxip.com
Sun Jan 7 03:10:06 UTC 2007 

On 6-Jan-07, at 5:35 AM, Martin Atkins wrote:

> Martin Atkins wrote:
>>
>> I believe that the spec doesn't make any distinction between  
>> permanent
>> and temporary redirects: any kind of redirect serves as a
>> "canonicalization step" (so, for example,
>> http://www.livejournal.com/users/frank/ becomes
>> http://frank.livejournal.com/) and so the ultimate destination URL is
>> used as the claimed identifier. (In other words, LiveJournal is  
>> "wrong".)
>
> I don't know why I didn't realise this when I was last replying,  
> but the
> reason for the inconsistency between LiveJournal and the JanRain  
> library
> is that LiveJournal's RP is still using the 1.1 protocol without  
> Yadis,
> so it's seeing your <link rel="openid.server" ... /> and thus never
> seeing the redirect to the XRDS document. The JanRain library has been
> updated to prefer Yadis over OpenID's own discovery.
>
> Really there are two sets of rules in play here. OpenID (without  
> Yadis)
> says that the claimed_identity is the result of following all  
> redirects.
> However, when Yadis is in play the discovery part of OpenID is not  
> used
> and the claimed_identity is (presumably) the URL at which Yadis
> discovery succeeded.

The claimed identifier is defined in the same way for both Yadis and  
HTML-Based discovery, i.e. the final URL after following all  
redirects (+ normalization).

> The successful Yadis URL needs to be defined by
> Yadis. However, I can't actually see anywhere in the Yadis spec that
> defines RP behavior when a redirect is recieved.
>
> So this behavior is (unless I'm missing the key part of the Yadis  
> spec)
> undefined in the Yadis case. It might be a good idea to define this in
> an errata while we still only have a small number of Yadis
> implementations to worry about.

I read the Yadis spec the same way - it doesn't say anything about  
redirects, or that the result of the discovery process includes the  
URL which the XRDS describes. As an "consumer" of the spec, I take it  
is left for the protocol / application that uses Yadis to define  
whatever behavior they want -- and OpenID does that currently.

Admittedly, as we implemented Yadis and then OpenID, and recognized  
the need to know the final URL, we put that functionality in the  
Yadis implementation as an extra feature, so that OpenID doesn't have  
to perform a new (set of) HTTP call(s) for the required normalization.

If it is decided that it's best for this to be part of the Yadis  
spec, it will need some careful consideration. As
Sam selectively issues redirects based on the presence of a certain  
header in the request, he effectively points RPs to different URLs  
(which will become later on different claimed identifiers), depending  
on how they formulate the requests.

In such a configuration, one could even argue that the URL can no  
longer serve as an "identifier", since it Locates different Resources  
based on the parameters of the request (which are not part of the URL  
itself).


Johnny

More information about the general mailing list