[OpenID] Wildcard realms and return URL verification discovery conflict
deron.meranda at gmail.com
Thu Apr 9 08:23:19 UTC 2009
On Wed, Apr 8, 2009 at 7:53 PM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
>> The problem, as I see it, is that the spec requires an assumption
>> be made: that in discovery a wildcard maps to a specific hostname:
> Hmm . . . the behavior I have seen is not that *.domain.com is assumed to be
> 'www', but that 'domain.com' is assumed to be 'www.domain.com' (this caused
> me to reprise my no-www compliance level). In practice, I think there will
> be little difference between the two ('domain.com' can probably be assumed
> to be identical to 'www.domain.com').
I'm not sure I follow you. The www substitution is mandated by the spec.
>From the OpenID 2.0 Spec, Section 9.2.1:
"A realm may contain a wildcard, and so may not be a valid URL. In
that case, perform discovery on the URL obtained by substituting
"www" for the wildcard in the realm. "
But if there is no wildcard, then the realm will be a valid URL, and that
URL is used for discovery purposes. There is nothing that says
that a party performing discovery should add a "www" to a that URL,
and in fact doing so would be incorrect. So the realm
"http://domain.com/" should definitely NOT be interpreted as being
identical to "http://www.domain.com/".
However, on the other hand, the wildcarded "http://*.domain.com/"
realm MUST be interpreted as being "http://www.domain.com/".
So are you seeing something different?
My concern is that I think section 9.2.1 of the spec may be too
simplistic. It makes an assumption that a "www" host will
exist and that it will be authoritative for the entire domain.
Not to mention there may be an https versus http disconnect.
More information about the general