URL canonicalization
Brad Fitzpatrick
brad at danga.com
Wed Sep 14 14:58:08 PDT 2005
URL canonicalization isn't an OpenID-specific issue.
But as a rule:
-- protocol matters.
-- case of domain doesn't
-- you can remove :80 for http or :443 for https
-- add a slash if none exists
-- follow redirects until you reach a dead-end.
But any other difference you must treat as a new identity.
On Wed, 14 Sep 2005, Dan Libby wrote:
> Hi, in my database, I need to uniquely keep track of visitors that are
> logging in via remote OpenID servers. The best key available is their
> identity url. But that leaves me with a question about how exactly to
> canonicalize it, that the spec does not clearly address.
>
> The spec says:
>
> "Note that the user can leave off "http://" and the trailing "/". A
> consumer must canonicalize the URL, following redirects and noting the
> final URL. The final, canonicalized URL is the user's identity URL."
>
> Okay, so case-insensitivity is fairly obvious. I'm already lower-casing
> everything. But what about http vs https? For example, should
> "https://sally.people.com/" be treated as a separate identity from
> "http://sally.people.com/"? Or should the protocol be ignored?
>
> I suppose the issue can be broadened to: the spec is a bit vague about
> canonicalization of identity URLs. Can we get clarification?
>
> thanks,
>
> Dan Libby
>
>
>
More information about the yadis
mailing list