Redirect on YADIS ID de-reference?

Michael Graves groupmg at gmail.com
Thu Nov 24 08:39:01 PST 2005 

Martin Atkins <mart <at> degeneration.co.uk> writes:


> 
> While this is not directly relevant, OpenID specifies that the
> "Permanent Redirect" response code act as a kind of canonicalizer for
> the identity URL. If the user enters http://frank.livejournal.com/ and
> gets back a redirect to http://www.franknet.com/ an OpenID consumer must
> behave as if the user had originally entered http://www.franknet.com/,
> including the display of the user's identity.

OK, I missed that. Thanks for the heads up. I will look for the HTTP 301
(Permanent Redirect) in my code and remap the URI, if it's different from that
submitted. 
 
> A temporary redirect is a more difficult matter, since the server is
> saying "I'm temporarily putting this over there, but its real location
> is still here". I don't think OpenID was clear about what happens in
> this case.
> 
> Other than these special cases, OpenID essentially leaves this all up to
> consumer local policy. There are some suggestions in the spec, but no
> concrete rules. If we think that YADIS needs to be a bit more specific,
> it's not hard to just pluck a good magic number out of the air and say
> that is the most that consumers are required to support.
> 
> However, it's probably more useful to constrain time rather than number
> of redirects. A maximum total request time deals not only with redirect
> loops but also "tarpitting", where the remote server intentionally
> drip-feeds the consumer junk data in small chunks forever, consuming
> consumer resources for a request that will never end. The
> LWPx::ParanoidAgent CPAN module implements this and other paranoia
> necessary for a consumer fetching data from untrusted sources.
> 
> 

You're probably right about the time limit. When cycling through 302 redirects,
it's just easier to couunt the iterations and limit it that way. The time limits
just a little more work for my lazy fingers...

I've used Paranoid agent, and miss it, working as I am in Ruby. I have a side
project in the list to get that thing ported over to Ruby.

-Mike

More information about the yadis mailing list