[OpenID] OpenID as an attack relay

Simon Willison simon at simonwillison.net
Tue Mar 20 10:52:30 UTC 2007

On 3/20/07, Lukas Rosenstock <lukas.rosenstock at identity20.eu> wrote:
> The example you have given could maybe prevented by not allowing query
> parameters in an identity URL. Current identities look like
> "username.provider.com" or "provider.com/username", in rare cases
> "provider.com/users/username.htm", it would't hurt to make query
> parameters invalid in an identity URL.

That feels very strange to me. We're moving from "an OpenID is a URL"
to "an OpenID is a URL that must conform to these specific

I agree that OpenID's that contain query strings are likely to be
rare, but I'm also certain that someone could come up with an
interesting use of OpenID in the future for which query strings were
well suited.

More information about the general mailing list