URL redirection truncation problems

Manuel Lemos mlemos at acm.org
Tue Dec 7 10:08:03 UTC 2010 

Hello,

on 12/06/2010 10:59 PM Breno de Medeiros said the following:
>> I have developed my implementation of OpenID (consumer and provider). In
>> general works well and it has been used in sites use that authenticate
>> hundreds of thousands of users.
>>
>> The problem is that once in a while I get warnings from my system regarding
>> missing required attributes or invalided signatures.
>>
>> Looking closer at the problem I realized that in some cases the OpenID
>> provider redirects the users back to the consumer sites but the user
>> browsers are truncating URLs apparently at 400 characters.
>
> This could happen in some mobile devices.
>
> There are, AFAIK, only a few approaches to address this problem.
>
> - Choose to not support such user agents.
>
> - Providers might add detection for the problematic user-agents and
> change their handling to use a POST redirect. But keep in mind that
> this fix still is short of ideal:
> -- Sometimes these devices also not support javascript, in which case
> POST redirects require an additional confirmation dialog.
> -- POST redirect from https to http result in scary warning dialogs in
> some browsers. Avoiding this warning requires providers to invent some
> proprietary redirect with short URLs from the https location to an
> http location and start the POST operation from the http location. A
> better solution would be for RPs to implement SSL return_to URLs, but
> this has not been often done.

Better not. I am already having an hard time because I tried to make the 
OpenID URL open inside an iframe to make it look integrated with the 
consumer site. What happens is that some browsers refuse to accept 
cookies because consumer and provider domains are not the same.

So I would rather avoid hacks that do not work in all browsers and give 
me a lot of work trying to support browsers with unexpected behavior.


> - OpenID might define an 'artifact'-type workflow, as for instance,
> the one proposed by the Artifact Binding WG, and shorten URLs of both
> requests and responses to below 400 characters.

I am not sure what this means. Does it mean that is there already 
anything able to make redirect URLs shorter or it maybe something that 
future specs may support?


-- 

Regards,
Manuel Lemos

JS Classes - Free ready to use OOP components written in JavaScript
http://www.jsclasses.org/

More information about the specs mailing list