URL redirection truncation problems

Breno de Medeiros breno at google.com
Tue Dec 7 00:59:50 UTC 2010 

On Mon, Dec 6, 2010 at 16:41, Manuel Lemos <mlemos at acm.org> wrote:
> Hello,
>
> I have developed my implementation of OpenID (consumer and provider). In
> general works well and it has been used in sites use that authenticate
> hundreds of thousands of users.
>
> The problem is that once in a while I get warnings from my system regarding
> missing required attributes or invalided signatures.
>
> Looking closer at the problem I realized that in some cases the OpenID
> provider redirects the users back to the consumer sites but the user
> browsers are truncating URLs apparently at 400 characters.

This could happen in some mobile devices.

There are, AFAIK, only a few approaches to address this problem.

- Choose to not support such user agents.

- Providers might add detection for the problematic user-agents and
change their handling to use a POST redirect. But keep in mind that
this fix still is short of ideal:
-- Sometimes these devices also not support javascript, in which case
POST redirects require an additional confirmation dialog.
-- POST redirect from https to http result in scary warning dialogs in
some browsers. Avoiding this warning requires providers to invent some
proprietary redirect with short URLs from the https location to an
http location and start the POST operation from the http location. A
better solution would be for RPs to implement SSL return_to URLs, but
this has not been often done.

- OpenID might define an 'artifact'-type workflow, as for instance,
the one proposed by the Artifact Binding WG, and shorten URLs of both
requests and responses to below 400 characters.

>
> Anybody experienced this problem?
>
> Admittedly I may have missed something in the spec documents, but is there
> anything in the specs that provides a solution to avoid redirecting browsers
> to such long URLs?
>
> --
>
> Regards,
> Manuel Lemos
>
> JS Classes - Free ready to use OOP components written in JavaScript
> http://www.jsclasses.org/
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>



-- 
--Breno

More information about the specs mailing list