[OpenID] Selectively Redirecting OpenID Traffic To HTTPS
Kevin Turner
kevin at janrain.com
Sat Jan 12 02:21:29 UTC 2008
On Fri, 2008-01-11 at 03:57 -0800, Trevor Johns wrote:
> Is there any way to selectively redirect OpenID traffic to HTTPS without
> affecting normal traffic?
I've had a few variations on this question come up recently. e.g.
wanting to somehow customize the identifier page for OpenID clients, or
for usage statistics. Unfortunately, I came to the same conclusion that
you have, which is that there is no reliable way to do this.
For your case, Johnny's answer is a reasonable one (send back the HTTPS
version of the identifier in the claimed_id response field), but only
version 2 RPs will understand that claimed_id; trying to send back a
different identifier to OpenID version 1 RPs may or may not work.
The other thing you should be aware of is that I still run in to RPs
from time to time that cannot fetch HTTPS documents. They probably
ought to be treated as broken and uncooperative, but that may factor in
to your decision.
More information about the general
mailing list