[OpenID] URL normalization issues

Josh Hoyt josh at janrain.com
Fri Mar 23 19:07:45 UTC 2007


On 3/23/07, John Panzer <jpanzer at aol.net> wrote:
> Given two hCards,
>
> <a class="url fn uid" href="http://example.com/foo">Foo Bar</a>
> <a class="url fn uid" href="http://example.com/foo/">F. Bar</a>
>
> should I consider these two identities equivalent, or not?[1]  Or is
> there a way to resolve them by asking the servers (not doing an auth
> check, just a canonicalization check of some kind)?

I can't speak for hcard, but the OpenID specs do not *necessarily*
consider these equal. The normalization process for OpenID is
intertwined with discovery: The final, normalized URL is the URL that
results from following redirects when fetching the
textually-normalized URL that the user entered. This allows the owner
of the URL to perform arbitrary transformations on the URL. To really
test equivalence of two OpenID URL identifiers, it's necessary to
perform discovery on them to find out if they redirect to the same
target location.

For example, if discovery on http://example.com/josh produces:

 GET /josh HTTP/1.1
 Host: example.com
 ...

 HTTP/1.1 302 Found
 Location: http://example.com/josh/
 ...

 ---

 GET /josh/ HTTP/1.1
 Host: example.com

 HTTP/1.1 200 OK
 ...

then http://j3h.example.com/ is the normalized OpenID identifier for
that transaction.

It's a little tricky to say that those URLs are equivalent, since the
URL that resulted in the redirect should not ever be used as an OpenID
identifier, but at an intuitive level, that makes the meaning of those
two URLs as an identifier the same.

I hope that clarifies things.

Josh



More information about the general mailing list