[OpenID] Scheme in OP-Local ID

Jack jack at jackpot.uk.net
Thu Sep 6 18:51:51 UTC 2007 

As so often happens, I have replied to the poster rather than the list. 
Poo. Let's try again:

Martin Atkins wrote:
> Jack wrote:
>> Hi,
>> 
>> Are the following two OP-Local identifiers the same identifier?
>> 
>> 1)   http://user.example.com/ 2)   https://user.example.com/
>> 
>> What about this one? 3)   http://USER.EXAMPLE.COM/
>> 
>> I can't see anything in the spec that says that an OP-Local
>> identifier can have more than one string representation. I also
>> can't see anything that says it can't; but if it can, then I would
>> have expected to find some prose explaining what restrictions
>> should be enforced.
>> 
>> I would suppose that 1) and 2) are different identifiers, and that
>> 3) is the same as 1).
>> 
>> 
> 
> The clue is in the name! :)
> 
> An OP-local identifier can be interpreted in any way the OP likes.
> 
> LiveJournal, for example, just uses a regex to extract the username 
> portion of the URL, so your OP-local identifier is fine as long as it
>  matches LJ's regex.

OK, so I'm suffering from terminological confusion.

* The claimed_id is the id the user enters into the openid login box,
   and may be displayed as the "you are logged in as..." value by the RP.

* The OP-local is a string that means something to the OP, and is cited
   in the users's 2.0 <link rel=""> tag (for HTTP discovery), and in
   their XRDS document. It is the same as the "delegate" from 1.0 and
   1.1. I thought this was the "canonical" userid, i.e. the one
   recognised by the OP.

As far as I can see, there is no other identifier (unless we start
tangling with XRI). But in OpenID, the user's identifier is supposedly a
URL. If the OP-local is ANY STRING, then the URL referred to must be the
claimed_id. But the claimed_id is subject to normalisation, and need not
be a valid URL _as entered_ (and as displayed by the RP).

So the URL we were referring to is only of interest as the outcome of
normalisation? That normalised URL is only used for Yadis/HTML
resolution, which in turn gives rise to a OP-local (or delegate, as the
case may be).

So (supposing your claimed_id is a URL, whether trimmed or complete),
that MIGHT be case-insensitive with respect to the hostname, depending
on how the RP works; and it MIGHT redirect http to https (if that's what
the RP wants to do). Is that right?

If that is right, then the "URL" isn't a URL - because hostnames in URLs
are case-insensitive.


Thanks for explaining,
-- 
Jack.

More information about the general mailing list