[OpenID] Wildcard realms and return URL verification discovery conflict

Deron Meranda deron.meranda at gmail.com
Wed Apr 8 17:00:29 UTC 2009

On Wed, Apr 8, 2009 at 2:02 AM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
>> But now consider Yahoo!, which performs the optional Return URL
>> Verification step.  Per section 9.2.1 of the OpenID 2.0 spec, it will then
>> attempt to perform discovery (for my RP's XRDS document) starting at
>> https://www.example.org/
> I have noticed this behavior, too (in a major OP other than Yahoo).
> +1 to designing a solution for this into the spec.

Just to be clear; Yahoo is following the spec correctly here.

The problem, as I see it, is that the spec requires an assumption
be made: that in discovery a wildcard maps to a specific hostname:

   *.example.com -> www.example.com

Now this may be reasonable (most web browsers also codify this
type of assumptive mapping too); but it is still nonetheless an
sometimes-unsatisfactory assumption that there exists a host
named "www" and that it is authorized and capable of
representing OpenID claims for the entire domain wrt XRDS discovery.

Perhaps a more technically consistent approach would be to first
try to use the DNS system, as intended, such as an looking up
an SRV or TXT record before falling back to trying "www".


Of course it may be argued that users have even less control
over DNS records than they do the HTTP headers of the main
page on their "www" server.  But nonetheless, that's supposed to
be one of the jobs of DNS: to designate endpoints for services
that are representative of an entire domain.
Deron Meranda

More information about the general mailing list