[OpenID] Temporarily redirecting one's identity?

Recordon, David drecordon at verisign.com
Thu Jan 4 15:10:23 UTC 2007

Hey Sam,
I'm surprised the LJ implementation chooses the former since even the
1.1 spec in Brad's original form (http://openid.net/specs/specs-1.1.bml)
> Note that the user can leave off "http://" and the trailing
> "/". A consumer must canonicalize the URL, following redirects
> and noting the final URL. The final, canonicalized URL is the
> user's identity URL.

The 2.0 spec then says:
> URL identifiers MUST then be further normalized by both
> following redirects when retrieving their content and
> finally applying the rules in Section 6 of [RFC3986]
> (Berners-Lee, T., "Uniform Resource Identifiers (URI):
> Generic Syntax," .) to the final destination URL. This
> final URL MUST be noted by the Relying Party as the
> Claimed Identifier and be used during future requests.


-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Sam Ruby
Sent: Thursday, January 04, 2007 4:47 AM
To: general at openid.net
Subject: [OpenID] Temporarily redirecting one's identity?

Oh, dear.  I may have found an edge case.  And documented it in a manner
that others may follow.

The documentation is here: 

The issue is that when somebody requests http://intertwingly.net/blog/
and specifies an Accept: application/xrds+xml header on the request, I
do a temporary 302 redirect to http://intertwingly.net/public/yadis.xrdf

The question is: when the identity validation is done, what should the
RP view as my identity?  The original URI (.../blog/) or the "temporary"

one (.../yadis.xrdf)?

LiveJournal (http://www.livejournal.com/openid/) choses the former. 
JanRain (http://www.openidenabled.com/resources/openid-test/checkup)
choses the latter.

IMO, independent of whether or not I should be doing the redirect, the
spec should be clear and one or both of these implementations should be
changed to conform.

My two cents is that the answer should depend on whether it was a
permanent redirect (301) or a temporary redirect (302) which was

However, if consensus forms on this mailing list, I'll update my
tutorial accordingly.

- Sam Ruby
general mailing list
general at openid.net

More information about the general mailing list