[OpenID] Problems with OpenID and TAG httpRange-14

John Kemp john at jkemp.net
Tue Mar 4 21:04:15 UTC 2008 

Noah Slater wrote:
>> It's considered (by OpenID) a canonical identifier for the user (which
>> has nothing in particular to do with it being a URL)
> 
> Well, considering that OpenID relies on being able to dereference URIs via HTTP
> I would argue that the respective URI and HTTP RFCs are particularly important
> when deciding upon the appropriate canonicalisation behaviour of OpenID agents.

I definitely agree with you, but I will point out that forming a 
canonical identifier for OpenID is important for that protocol too. But 
for the detailed why, you may want one of the spec. authors to comment.

> 
>> HTTP is a protocol for dereferencing URLs. Not a protocol for using them
>> as identifiers for users.
> 
> No, but considering that OpenID is relying on the mechanics of HTTP it only
> makes sense to properly abide by the semantics explicitly provides by the RFC.

Again agreed.

> 
> More explictly, when HTTP says that 303 redirects should not be considered
> replacement resources it is important for the OpenID specification to make
> specific allowances for this when instructing agents how to canonicalise an
> identity that is based upon the HTTP mechanics of dereference.
> 
>> It gets messy when they are combined, I agree, but I'm still not clear on
>> exactly what your issue is.
> 
> My issue is that I cannot use any URI that 303 redirects to another resource as
> an OpenID identity because the specification (by oversight) ignores an important
> aspect of HTTP redirection mechanics in it's identity canonicalisation process.

OK.

> 
>> Can you explain specifically what you mean by "incorrectly canonicalize
>> and publish" in this case? What URI do you *want* to use as your OpenID?
>> What is your OpenID provider/RP doing that illustrates this issue?
> 
> I want to use <http://bytesexual.org/> as my OpenID identity.
> 
> When I use this identity with various OpenID enabled websites they follow the
> OpenID specification and canonicalises this to <http://bytesexual.org/about/>.

OK, so in OpenID terms that means (if I've got this right) that the RP 
says to the OP that your claimed identifier is 
<http://bytesexual.org/about/>.

To get there, the RP would have followed a redirect that you or your OP 
set up from <http://bytesexual.org/> to <http://bytesexual.org/about/>

The RP requested whatever was at <http://bytesexual.org/> which turned 
out to be an HTTP 303, perhaps with some non-cacheable representation, 
but perhaps with nothing else. The RP gets back a response containing a 
link to <http://bytesexual.org/about/>, at which location is your XRDS 
file.

> 
> When the website in question publishes this OpenID (perhaps making a reference
> to me, for example blog comments) the URI used is the latter and not the former.

I believe the OP has both the option to itself choose some other 
identifier than the claimed identifier to return to the RP, and also the 
option to allow you the user to choose. So I would think it is possible 
with the current spec for your identity provider to tell the blog where 
you are making comments that it should use 
<http://bytesexual.org/about/> to identify you.

I would guess that these things are dependent on the OP implementation 
though?

Someone more knowledgeable than me about these kind of details would 
have to comment on what happens in practice...

> 
>>> I see problems when OpenID does not allow me to assert a URI as my identy.
>> How does OpenID do that?
> 
> I go to Example Blog and see an interesting article, I comment on it using my
> <http://bytesexual.org/> OpenID and the blog software canonicalises and displays
> my OpenID as <http://bytesexual.org/about/>.
> 
> I have been prevented from using a specific URI in this instance because the
> OpenID specification ignores the semantics of the HTTP 303 redirecton.
> 
> Thanks,

Thanks for explaining your issue so well - I'm sorry if I seem dense, 
but I'm just trying to understand the practical effect of this on the 
OpenID protocol...

- johnk

> 
> --
> Noah Slater <http://bytesexual.org/>

More information about the general mailing list