[OpenID] URL normalization issues

Josh Hoyt josh at janrain.com
Fri Mar 23 20:26:24 UTC 2007


On 3/23/07, Martin Atkins <mart at degeneration.co.uk> wrote:
> Josh Hoyt wrote:
> >
> > I have yet to come up with a solution to this particular problem that
> > I consider satisfactory.
>
> Surely you can only use one of them? I already have a few dozen OpenID
> identifiers, but I don't find myself accidentally entering in the wrong one.
>
> While I agree it's easy for a user to accidentally leave out a trailing
> slash, it's much less likely that they'll accidentally type /xrds on the
> end of the URL.

I'm not really worried about users entering the wrong identifier. It
just seems really ugly that in order to use XRDS discovery, you end up
creating two valid OpenID identifiers. A robot that searched for
OpenID URLs is one example of something that would be polluted by
these duplicates.

It's the fact that code can't tell whether the XRDS URL is *intended
to* be an identifier that bugs me.

> > Yuck. I just tried it on Jyte, LiveJournal, and ClaimID, and they all
> > do different things with the /xrds version, so it'd be *really* nice
> > if we could come up with at least a decent way of avoiding this
> > problem.
>
> Note that LiveJournal doesn't support XRDS discovery because it's still
> a pure 1.1 implementation.

Understood, but that doesn't make the inconsistency any less gross.
Also, I think it's odd that LJ serves XRDS files, but doesn't process
them when signing in.

Josh



More information about the general mailing list