[OpenID] Temporarily redirecting one's identity?
johnny at sxip.com
Sun Jan 7 03:10:06 UTC 2007
On 6-Jan-07, at 5:35 AM, Martin Atkins wrote:
> Martin Atkins wrote:
>> I believe that the spec doesn't make any distinction between
>> and temporary redirects: any kind of redirect serves as a
>> "canonicalization step" (so, for example,
>> http://www.livejournal.com/users/frank/ becomes
>> http://frank.livejournal.com/) and so the ultimate destination URL is
>> used as the claimed identifier. (In other words, LiveJournal is
> I don't know why I didn't realise this when I was last replying,
> but the
> reason for the inconsistency between LiveJournal and the JanRain
> is that LiveJournal's RP is still using the 1.1 protocol without
> so it's seeing your <link rel="openid.server" ... /> and thus never
> seeing the redirect to the XRDS document. The JanRain library has been
> updated to prefer Yadis over OpenID's own discovery.
> Really there are two sets of rules in play here. OpenID (without
> says that the claimed_identity is the result of following all
> However, when Yadis is in play the discovery part of OpenID is not
> and the claimed_identity is (presumably) the URL at which Yadis
> discovery succeeded.
The claimed identifier is defined in the same way for both Yadis and
HTML-Based discovery, i.e. the final URL after following all
redirects (+ normalization).
> The successful Yadis URL needs to be defined by
> Yadis. However, I can't actually see anywhere in the Yadis spec that
> defines RP behavior when a redirect is recieved.
> So this behavior is (unless I'm missing the key part of the Yadis
> undefined in the Yadis case. It might be a good idea to define this in
> an errata while we still only have a small number of Yadis
> implementations to worry about.
I read the Yadis spec the same way - it doesn't say anything about
redirects, or that the result of the discovery process includes the
URL which the XRDS describes. As an "consumer" of the spec, I take it
is left for the protocol / application that uses Yadis to define
whatever behavior they want -- and OpenID does that currently.
Admittedly, as we implemented Yadis and then OpenID, and recognized
the need to know the final URL, we put that functionality in the
Yadis implementation as an extra feature, so that OpenID doesn't have
to perform a new (set of) HTTP call(s) for the required normalization.
If it is decided that it's best for this to be part of the Yadis
spec, it will need some careful consideration. As
Sam selectively issues redirects based on the presence of a certain
header in the request, he effectively points RPs to different URLs
(which will become later on different claimed identifiers), depending
on how they formulate the requests.
In such a configuration, one could even argue that the URL can no
longer serve as an "identifier", since it Locates different Resources
based on the parameters of the request (which are not part of the URL
More information about the general