[OpenID] Calling OpenID 2.0 editors (was RE:Problems withOpenID and TAG httpRange-14)

John Kemp john at jkemp.net
Thu Mar 6 18:30:11 UTC 2008 

Manger, James H wrote:
> Earlier emails on this topic:
> 1. [Jan 2007] Temporarily redirecting one's identity?
>    http://openid.net/pipermail/general/2007-January/000946.html
> 2. [Nov 2007] "303 See Other" should not change Claimed ID
>    http://openid.net/pipermail/general/2007-November/003681.html
> 
> The 2nd of these emails makes exactly the same argument as Noah,
> with a few other wrinkles. It was ignored :-(
> 
> The 1st, by Sam Ruby, provides a use-case for using redirects
> but not changing the claimed id.

Regarding Sam's issue, it seems the spec. fix was to follow redirects in 
all cases, and for the claimed_id to be the URI obtained by following 
redirects.

The question is whether Sam wanted his claimed_id to be the original 
one, or the one obtained by following redirects. And by setting up a 301 
it's probably reasonable to say "yes" - one identifier is now equivalent 
to the other, as decided by some combination of the OP and user.

The problem is really with the 302/307, and 303 redirects, where it is 
probably NOT appropriate to consider the two URIs equivalent (as you 
mention in your linked email above, and which relates closely to Noah's 
concern)

> I would still like to see a fix.

Sure, but what is the process for getting there?

> I suspect very few existing OpenIDs use
> 303, and those that explicitly chose it are likely to want its specific
> HTTP semantics.

The problem shows up in the user interface, as Noah pointed out. What 
should an RP or OP claim/display as the user's OpenID?

It would be nice if they could consider the claimed_id as the user's 
OpenID.

But given that the claimed_id now will be the result of following 
redirects, it would be my assertion that if the claimed_id has been 
obtained by following 302/303/307 redirects that it is quite possibly 
not actually the user's intended OpenID.

- johnk

> 
> James Manger
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list