Trailing Slash?

Anas M. Nebuchadnezzar XXXVII Duck at kronkltd.net
Mon Oct 17 14:36:07 PDT 2005


Zefiro wrote:
> Hi, Chris
>
>   
>>   NOTE: The consumer SHOULD append a trailing slash if appropriate, and
>>   if the login fails without the slash appended. Note also that a server
>>   SHOULD NOT recognize two identity URLs that differ only by a trailing
>>   slash.
>>     
> please note that IRIs with and without trailing slash (with non-empty paths) are indeed different. Most servers are configured
> to accept requests with a missing trailing slash and silently 301 REDIRECT you to the correct IRI.
>
> I am a bit lost concerning empty path arguments. If I try to
>   
>> telnet proxy.example.com 3128
>> HEAD HTTP/1.1
>> host: www.livejournal.com
>>     
> I get an error. I wouldn't know how to even ask for an empty path if I were a user agent. But I assume I'd also get a 301 REDIRECT.
>
> So if you want to change something than add to the spec that the delegate URI (is OpenID IRI-capable?) will not be processed by
> the consumer, but 301 REDIRECTs will be followed. Which I think would be sensible to do IF it were a thing for the consumer to
> do.
>
> But as I understand it, it is not. Instead, the delegate URI is taken as-is and the OpenID-server is asked whether the user in
> questions owns these URI. I'm not sure if it should be up to the client, to the server or to none of them to check for redirects
> on the delegate URI. To my understanding of the current specs the delegate URI does not even have to exist or belong to the user
> or anyone at all. All that's required is that the claimed identity uses this as a token to give to the OpenID-server, which then
> does whatever he wants with it (usually checking if he can confirm a relationship between the user and the URI).
>
> *purrrr*
>   

The only problem with this is, the consumer has no need to pull up the 
consumer to pull up that delegate url. The consumer just sends the value 
of openid.delegate to the location specified in openid.server. Correct 
me if I'm wrong, but I believe that the url specified in openid.delegate 
need not necessarily resolve to a valid page so long as the server is 
capable of asserting an identity for that URI. If it was made so that 
consumers had to follow 301 REDIRECTs, then you would be forcing the 
consumer to make a second request for no reason other than to see if the 
server responds with a redirect.

Now, if it was made that openid.server is optional if a openid.delegate 
is present, (the consumer would use the openid.server specified at the 
delegated url) then something like this would be a little more feasible. 
As it stands right now, just make sure you have the full canonical url 
in your openid.delegate (you only have to set it once, anyway) or hope 
that eventually Livejournal will start asserting urls in the form of 
http://www.livejournal.com/users/username in addition to the trailing 
slash version. (not likely)

Daniel E. Renfer (http://kronkltd.net/)


More information about the yadis mailing list