[OpenID] URL normalization issues

Johnny Bufu johnny at sxip.com
Fri Mar 23 21:05:34 UTC 2007


On 23-Mar-07, at 12:53 PM, Josh Hoyt wrote:

> Regarding OpenID provider best practices, I agree wholeheartedly. Any
> URL that responds with a valid OpenID discovery response *is* an
> identifier, so responding to more than one URL that way effectively
> creates more identifiers. Providers (and users hosting their own
> identifiers) should be careful to respond with 200 OK and OpenID
> discovery information only to those URLs that are intended to be
> identifiers.

So an OP should look into what URLs their webserver software treats  
as equivalent (but are not equivalent according to RFC3986) and  
either disable that behavior, or redirect all of them to the one that  
is advertised as being *the* identity URL. In practical terms, this  
would amount for a few rewrites/redirects such that:

http://example.com/some/user
http://example.com/some/user/
http://example.com///some/user
http://example.com/some////user/
... (other common examples, anyone?) ...

all redirect to, say:
http://example.com/some/user/


> One of the problems with XRDS discovery (formerly known as Yadis) is
> that it makes it difficult to avoid serving more than one URL that can
> be used as an identifier: the XRDS file's URI is *also* a valid
> identifier. You can observe this problem if you have a MyOpenID.com
> account by trying to sign in somewhere that supports XRDS discovery
> (i.e. not LiveJournal) with <http://youraccount.myopenid.com/xrds>.
>
> I have yet to come up with a solution to this particular problem that
> I consider satisfactory.

The only ways I can think of for solving this would be to:
- include the ClaimedID in the XRDS document, or
- modify Yadis to REQUIRE the RPs to always send the Accept request- 
header for XRDS when fetching the X-XRDS-Location URL.

But neither of them are easy fixes...


Johnny




More information about the general mailing list