Redirect on YADIS ID de-reference?

Michael Graves groupmg at
Thu Nov 24 08:39:01 PST 2005

Martin Atkins <mart <at>> writes:

> While this is not directly relevant, OpenID specifies that the
> "Permanent Redirect" response code act as a kind of canonicalizer for
> the identity URL. If the user enters and
> gets back a redirect to an OpenID consumer must
> behave as if the user had originally entered,
> including the display of the user's identity.

OK, I missed that. Thanks for the heads up. I will look for the HTTP 301
(Permanent Redirect) in my code and remap the URI, if it's different from that
> A temporary redirect is a more difficult matter, since the server is
> saying "I'm temporarily putting this over there, but its real location
> is still here". I don't think OpenID was clear about what happens in
> this case.
> Other than these special cases, OpenID essentially leaves this all up to
> consumer local policy. There are some suggestions in the spec, but no
> concrete rules. If we think that YADIS needs to be a bit more specific,
> it's not hard to just pluck a good magic number out of the air and say
> that is the most that consumers are required to support.
> However, it's probably more useful to constrain time rather than number
> of redirects. A maximum total request time deals not only with redirect
> loops but also "tarpitting", where the remote server intentionally
> drip-feeds the consumer junk data in small chunks forever, consuming
> consumer resources for a request that will never end. The
> LWPx::ParanoidAgent CPAN module implements this and other paranoia
> necessary for a consumer fetching data from untrusted sources.

You're probably right about the time limit. When cycling through 302 redirects,
it's just easier to couunt the iterations and limit it that way. The time limits
just a little more work for my lazy fingers...

I've used Paranoid agent, and miss it, working as I am in Ruby. I have a side
project in the list to get that thing ported over to Ruby.


More information about the yadis mailing list