[OpenID] Selectively Redirecting OpenID Traffic To HTTPS
Johnny Bufu
johnny at sxip.com
Fri Jan 11 18:38:25 UTC 2008
On 11-Jan-08, at 6:18 AM, Trevor Johns wrote:
> The user-agent isn't a reliable mechanism to use for this, and the
> location being requested certainly isn't unique to OpenID clients,
> which really only leaves the accept header. However, according to the
> Yadis spec this isn't strictly required to be present.
Another possibility is to have the OP perform the "redirect" (without
any HTTP redirects configured for your webpage / identifier URL).
This is how it works:
- RP performs discovery on the HTTP identifier
- OP receives request with the claimed_id = HTTP identifier
- OP sends back assertion with the claimed_id = HTTPS identifier
Johnny
More information about the general
mailing list