[OpenID] Temporarily redirecting one's identity?

Sam Ruby rubys at intertwingly.net
Sat Jan 6 16:04:03 UTC 2007 

Martin Atkins wrote:
> Martin Atkins wrote:
>> I believe that the spec doesn't make any distinction between permanent 
>> and temporary redirects: any kind of redirect serves as a 
>> "canonicalization step" (so, for example, 
>> http://www.livejournal.com/users/frank/ becomes 
>> http://frank.livejournal.com/) and so the ultimate destination URL is 
>> used as the claimed identifier. (In other words, LiveJournal is "wrong".)
> 
> I don't know why I didn't realise this when I was last replying, but the 
> reason for the inconsistency between LiveJournal and the JanRain library 
> is that LiveJournal's RP is still using the 1.1 protocol without Yadis, 
> so it's seeing your <link rel="openid.server" ... /> and thus never 
> seeing the redirect to the XRDS document. The JanRain library has been 
> updated to prefer Yadis over OpenID's own discovery.

I just checked my logs, and that is consistent with what I am seeing.

> == Permanent Redirects ==
> 
> When a 301 Moved Permanently response is recieved, the Yadis user-agent 
> MUST re-attempt the request at the new URI identified in the Location 
> response-header, and MUST use the new URI as the Yadis URL for the 
> remainder of the request.
> 
> Relying parties MAY, if it is practical and desirable, migrate any 
> existing data relating to the original URI to instead be related to the 
> new URI. A dependent service MAY, at its option, require such behavior 
> for RPs making use of that service.

Be aware that "permanent" redirects aren't always trustworthy.  Example:

http://www.nevon.net/nevon/2005/04/rss_feed_hijack.html

> == Temporary Redirects ==
> 
> When a 302 Found, 303 See Other or 307 Temporary Redirect response is 
> recieved, the Yadis user-agent MUST re-attempt the request (with the 
> behavior defined in the HTTP specification for each respective response 
> code), but MUST NOT use the new URI as the Yadis URL. That is, the Yadis 
> user-agent MUST request the new resource but act as if the result had 
> been retrieved from the original URI.
> 
> Relying parties MUST NOT migrate any records or data relating to the 
> original URI to the new URI.

Very nice.

- Sam Ruby

More information about the general mailing list