[OpenID] User and password instead of OpenID URL?
Martin Atkins
mart at degeneration.co.uk
Sun Nov 4 14:42:12 UTC 2007
Christopher St John wrote:
> On 10/31/07, Martin Atkins <mart at degeneration.co.uk> wrote:
>> thomas Armstrong wrote:
>> That is, if the user enters the username "fred" you could transform it
>> into http://fred.example.com/ before doing the OpenID request, thus
>> avoiding the need to enter a URL.
>>
>
> Section 7.2 "Normalization", rule (3) says that you have to prefix un-
> schemed identifiers with "http://" and use them like that. It's clear
> that http://fred is never going to resolve to anything sensible, but
> would it still be breaking the rules to transform it to
> http://fred.example.com?
>
I would consider this to be a UI decision, and thus out of the scope of
the spec. It's true that some rules are given for turning "what the user
entered" into a URL, but how you determine "what the user entered" is up
to you.
Some RPs like to present a drop-down list for users to pick a predefined
provider, like this:
__________________ ________________________________
| AOL |V| | MyScreenName |
"""""""""""""""""""" """"""""""""""""""""""""""""""""
| AOL |
| LiveJournal |
| Vox |
| TypeKey |
| OpenID |
------------------
My suggestion is really just a special case of this with some "do what I
mean" magic.
Obviously if your system allows usernames containing dots then you have
some ambiguity and this approach probably wouldn't work out for you.[1]
-----------
[1] You could perhaps argue that an entirely numeric username is
ambiguous because IP addresses can technically be written out as an
unsigned 32-bit integer rather than dotted-quad notation, but in
practice I don't think anyone really depends on being able to do this,
and most sites wouldn't know what to do with it anyway because they
depend on the Host: header being set to some domain name.
More information about the general
mailing list