[OpenID] Announce: OpenID Authentication Draft 12 (finally)

Johnny Bufu johnny at sxip.com
Tue Aug 28 22:11:33 UTC 2007 

On 27-Aug-07, at 7:05 PM, Peter Williams wrote:

> Draft 12 - to be finalized post-hoc - says [Section 7.2] :-
>
> "If the URL contains a fragment part, it MUST be stripped off. See
> Section 11.5.2 (HTTP and HTTPS URL Identifiers) for more information."

> Ok. This is what I took away from a simple reading...for use in coding
> duties:-
>
> A. fragment identifiers on user input are to be removed. Do not remove
> the separator.

Good thing we didn't call it final just yet. In my mind the separator  
was part of the fragment, but re-reading the URI RFC it clearly is  
not and you are right.

Thanks for spotting this one!

> 11.2 mentions that RP-Discovery on the final URI is mandatory, and a
> consumer's test for assertion validity requires the act of performing
> discovery. It also states that "If the Claimed Identifier in the
> assertion is a URL and contains a fragment, the fragment part MUST NOT
> be used for the purposes of verifying the discovered information."
>
> From what I read between the lines, the redirects and delegation rules
> may ultimately result in a positively asserted Claimed identity  
> that has
> fragment identifiers.
>
> I'm totally unclear which variety of all these URI rewrites the  
> consumer
> website UI is supposed to show the user, when show a landing page
> post-login. Presumably, it's the positively asserted, as discovered,
> Claimed Identity URI (with any fragments).

Yes, the claimed_id in a positive assertion can have a fragment.

As with a number of things, it is then up to the RPs what they use  
for display - whether it's the full claimed identifier (in my view  
this would defeat part of the identifier recycling solution), the  
fragment-less identifier, or some other local user / nick name. This  
is the recommendation we're making in the section "11.5 Identifying  
the end user":

"The Claimed Identifier MAY be used as a user-visible Identifier.  
When displaying URL Identifiers, the fragment MAY be omitted."


Johnny

More information about the general mailing list