[OpenID] Wildcard realms and return URL verification discovery conflict

Deron Meranda deron.meranda at gmail.com
Thu Apr 9 08:23:19 UTC 2009

On Wed, Apr 8, 2009 at 7:53 PM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
>> The problem, as I see it, is that the spec requires an assumption
>> be made: that in discovery a wildcard maps to a specific hostname:
> Hmm . . . the behavior I have seen is not that *.domain.com is assumed to be
> 'www', but that 'domain.com' is assumed to be 'www.domain.com' (this caused
> me to reprise my no-www compliance level). In practice, I think there will
> be little difference between the two ('domain.com' can probably be assumed
> to be identical to 'www.domain.com').

I'm not sure I follow you.  The www substitution is mandated by the spec.
>From the OpenID 2.0 Spec, Section 9.2.1:

   "A realm may contain a wildcard, and so may not be a valid URL. In
    that case, perform discovery on the URL obtained by substituting
    "www" for the wildcard in the realm. "

But if there is no wildcard, then the realm will be a valid URL, and that
URL is used for discovery purposes.  There is nothing that says
that a party performing discovery should add a "www" to a that URL,
and in fact doing so would be incorrect.   So the realm
"http://domain.com/" should definitely NOT be interpreted as being
identical to "http://www.domain.com/".

However, on the other hand, the wildcarded "http://*.domain.com/"
realm MUST be interpreted as being "http://www.domain.com/".

So are you seeing something different?

My concern is that I think section 9.2.1 of the spec may be too
simplistic.  It makes an assumption that a "www" host will
exist and that it will be authoritative for the entire domain.

Not to mention there may be an https versus http disconnect.
Deron Meranda

More information about the general mailing list