[Openid-specs-ab] SWD and redirection

George Fletcher gffletch at aol.com
Mon Feb 6 18:25:34 UTC 2012


I just found out that our XRD/Webfinger support in production is broken. 
This boils down to deployment issues for me since the owner of the 
aol.com domain is the portal team, not the identity team. As more and 
more specs are putting files in /.well-known I'm looking for solutions 
that are less brittle that what I have right now. With that context, is 
it acceptable to deploy a static file to 
https://aol.com/.well-known/simple-web-discovery that returns...

       "location": "https://api.screenname.aol.com/swd_server",
       "expires": 1300752001

That static file would ignore the query parameters though they will be 
logged. Note that if the SWD request is for an @aim.com domain the JSON 
response will be the same.

    GET /.well-known/simple-web-discovery
        ?principal=mailto:joe at aim.com
        &service=urn:example.org:service:calendar HTTP/1.1
    Host: aim.com

    HTTP/1.1 200 OK
    Content-Type: application/json

       "location": "https://api.screenname.aol.com/swd_server",
       "expires": 1300752001

I'm assuming there are no trust chain issues if the redirect location 
does NOT match the root domain of the original request.

Finally, the expiration field is going to cause me problems. I really 
would like the file to be static, but the client to requery every n 
hours/days/weeks. This could be done using HTTP expiration semantics. 
However, I don't have a deployment solution that allows me to update the 
file on a fixed interval. I'll keep exploring options to make it more 
dynamic, but the dynamic flow I have right now has been broken twice by 
config upgrades.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120206/566974ed/attachment.html>

More information about the Openid-specs-ab mailing list