[OpenID] Announce: OpenID Authentication Draft 12 (finally)
Johnny Bufu
johnny at sxip.com
Tue Aug 28 22:11:33 UTC 2007
On 27-Aug-07, at 7:05 PM, Peter Williams wrote:
> Draft 12 - to be finalized post-hoc - says [Section 7.2] :-
>
> "If the URL contains a fragment part, it MUST be stripped off. See
> Section 11.5.2 (HTTP and HTTPS URL Identifiers) for more information."
> Ok. This is what I took away from a simple reading...for use in coding
> duties:-
>
> A. fragment identifiers on user input are to be removed. Do not remove
> the separator.
Good thing we didn't call it final just yet. In my mind the separator
was part of the fragment, but re-reading the URI RFC it clearly is
not and you are right.
Thanks for spotting this one!
> 11.2 mentions that RP-Discovery on the final URI is mandatory, and a
> consumer's test for assertion validity requires the act of performing
> discovery. It also states that "If the Claimed Identifier in the
> assertion is a URL and contains a fragment, the fragment part MUST NOT
> be used for the purposes of verifying the discovered information."
>
> From what I read between the lines, the redirects and delegation rules
> may ultimately result in a positively asserted Claimed identity
> that has
> fragment identifiers.
>
> I'm totally unclear which variety of all these URI rewrites the
> consumer
> website UI is supposed to show the user, when show a landing page
> post-login. Presumably, it's the positively asserted, as discovered,
> Claimed Identity URI (with any fragments).
Yes, the claimed_id in a positive assertion can have a fragment.
As with a number of things, it is then up to the RPs what they use
for display - whether it's the full claimed identifier (in my view
this would defeat part of the identifier recycling solution), the
fragment-less identifier, or some other local user / nick name. This
is the recommendation we're making in the section "11.5 Identifying
the end user":
"The Claimed Identifier MAY be used as a user-visible Identifier.
When displaying URL Identifiers, the fragment MAY be omitted."
Johnny
More information about the general
mailing list