[OpenID] Announce: OpenID Authentication Draft 12 (finally)

Peter Williams pwilliams at rapattoni.com
Tue Aug 28 02:05:47 UTC 2007


Draft 12 - to be finalized post-hoc - says [Section 7.2] :-

"The end user's input MUST be normalized into an Identifier, as follows:


If the URL contains a fragment part, it MUST be stripped off. See
Section 11.5.2 (HTTP and HTTPS URL Identifiers) for more information. 

URL Identifiers MUST then be further normalized by both following
redirects when retrieving their content and finally applying the rules
in Section 6 of [RFC3986] " 




Ok. This is what I took away from a simple reading...for use in coding
duties:-

A. fragment identifiers on user input are to be removed. Do not remove
the separator.
B. 3986 shall normalize a terminating # as present
C. Discovery may involve handling 302 or other responses with location
headers possibly bearing fragment identifiers; handle fragment
identifiers on location headers according to HTTP1.1 
D. An HTML-delegated or XRDS-delegated URI may include fragment
identifiers and they shall not be removed, on this "final URI"


11.2 mentions that RP-Discovery on the final URI is mandatory, and a
consumer's test for assertion validity requires the act of performing
discovery. It also states that "If the Claimed Identifier in the
assertion is a URL and contains a fragment, the fragment part MUST NOT
be used for the purposes of verifying the discovered information." 

>From what I read between the lines, the redirects and delegation rules
may ultimately result in a positively asserted Claimed identity that has
fragment identifiers. 

I'm totally unclear which variety of all these URI rewrites the consumer
website UI is supposed to show the user, when show a landing page
post-login. Presumably, it's the positively asserted, as discovered,
Claimed Identity URI (with any fragments).






More information about the general mailing list