[OpenID] Problems with OpenID and TAG httpRange-14
Peter Williams
pwilliams at rapattoni.com
Tue Mar 4 18:49:41 UTC 2008
"URL Identifiers MUST then be further normalized by both following redirects when retrieving their content and finally applying the rules in Section 6 of [RFC3986] (Berners-Lee, T., "Uniform Resource Identifiers (URI): Generic Syntax," .) to the final destination URL. This final URL MUST be noted by the Relying Party as the Claimed Identifier and be used when requesting authentication (Requesting Authentication). "
Hmm. I tend to agree with you: its that term "final destination URL".
I think a "final URL" is a "final destination URL" that has been normalized using 3986. The final URL is of course a function of the URL Identifier, and gets cast as a Claimed Identifier.
From: Noah Slater
Sent: Tue 3/4/2008 10:30 AM
To: Peter Williams
Cc: general at openid.net
Subject: Re: [OpenID] Problems with OpenID and TAG httpRange-14
On Tue, Mar 04, 2008 at 10:25:15AM -0800, Peter Williams wrote:
> I only normalized the user input.
The OpenID spec says:
Consumers MUST canonicalize the Identifier URL, following redirects, and note
the final URL. The final, canonicalized URL is the End User's Identifier.
I think this clearly indicates that the URI must be canonicalised to "/about/".
> My SP openid engine does not know how many redirects (if any) are followed when
> locating the HTML page.
No, but according to the spec you must replace the initial URI with the final one.
As I pointed out, though I'm not sure the references got through the HTTP RFC
and the TAG httpRange-14 findings clearly show that is is incorrect behaviour.
--
Noah Slater <http://bytesexual.org/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080304/2e7012dc/attachment-0002.htm>
More information about the general
mailing list