[OpenID] Calling OpenID 2.0 editors (was RE:Problems withOpenID and TAG httpRange-14)

John Kemp john at jkemp.net
Thu Mar 6 19:55:56 UTC 2008 

Eddy Nigg (StartCom Ltd.) wrote:
> John Kemp:
>>
>> But given that the claimed_id now will be the result of following 
>> redirects, it would be my assertion that if the claimed_id has been 
>> obtained by following 302/303/307 redirects that it is quite possibly 
>> not actually the user's intended OpenID.
>>   
> Why this assumption?

There can't be an assumption - that's my point.

> You could for example submit example.com as your 
> ID, which would be naturalized to http://example.com/ which in turn 
> would be redirected to https://example.com which would return the 
> claimed ID https://john.example.com/

If that is a *temporary* redirect (302/307), how can the RP say that 
<https://john.example.com/> is my "claimed" identifier with any real 
assurance? How long should the RP think of that as my identifier if they 
got it via a 302/307?

And what if I use 303, and want to use <http://example.com> as my OpenID 
indicator of the "natural person" me, rather than the XRDS document 
which is at <https://example.com/john/ops.xrds> and is not actually me, 
but simply the OpenID document representation that tells the protocol 
where to find my OP?

> 
> There could be additional steps in this scenario, all be redirects and 
> relocations, however whatever is returned to the RP at the end of the 
> process as the claimed_id is...well, the claimed ID....

In the case of a 301, I think that's reasonable, but I don't think that 
an RP should be (for example) publishing the claimed ID that results 
from following the results of a 302/307 or 303 redirect.

I agree that there's no issue per se for the OpenID protocol itself 
(which cares only that there /is/ a claimed ID), but I do think there is 
an issue in user understanding of what their OpenID actually is, in the 
cases where the user wishes to indicate certain things by using HTTP 
semantics correctly.

At the very least, if we do want to have redirects followed in every 
case, it should be explained that a user/OP may want to avoid utilizing 
certain features of HTTP (such as 302/307 and 303 redirects) in setting 
up his OpenID/XRDS file.

I do think it would be a shame if OpenID, with the notion of HTTP URIs 
deeply embedded, were to not make best use of HTTP semantics.

- johnk

> 
> -- 
> Regards 
>  
> Signer:  	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
> Jabber:  	startcom at startcom.org <xmpp:startcom at startcom.org>
> Blog:  	Join the Revolution! <http://blog.startcom.org>
> Phone:  	+1.213.341.0390
>  
>

More information about the general mailing list