[OpenID] Wildcard realms and return URL verification discovery conflict

Deron Meranda deron.meranda at gmail.com
Thu Apr 9 08:23:19 UTC 2009


On Wed, Apr 8, 2009 at 7:53 PM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
>> The problem, as I see it, is that the spec requires an assumption
>> be made: that in discovery a wildcard maps to a specific hostname:
>
> Hmm . . . the behavior I have seen is not that *.domain.com is assumed to be
> 'www', but that 'domain.com' is assumed to be 'www.domain.com' (this caused
> me to reprise my no-www compliance level). In practice, I think there will
> be little difference between the two ('domain.com' can probably be assumed
> to be identical to 'www.domain.com').

I'm not sure I follow you.  The www substitution is mandated by the spec.
>From the OpenID 2.0 Spec, Section 9.2.1:

   "A realm may contain a wildcard, and so may not be a valid URL. In
    that case, perform discovery on the URL obtained by substituting
    "www" for the wildcard in the realm. "

But if there is no wildcard, then the realm will be a valid URL, and that
URL is used for discovery purposes.  There is nothing that says
that a party performing discovery should add a "www" to a that URL,
and in fact doing so would be incorrect.   So the realm
"http://domain.com/" should definitely NOT be interpreted as being
identical to "http://www.domain.com/".

However, on the other hand, the wildcarded "http://*.domain.com/"
realm MUST be interpreted as being "http://www.domain.com/".

So are you seeing something different?


My concern is that I think section 9.2.1 of the spec may be too
simplistic.  It makes an assumption that a "www" host will
exist and that it will be authoritative for the entire domain.

Not to mention there may be an https versus http disconnect.
-- 
Deron Meranda



More information about the general mailing list