Anas M. Nebuchadnezzar XXXVII
Duck at kronkltd.net
Mon Oct 17 14:36:07 PDT 2005
> Hi, Chris
>> NOTE: The consumer SHOULD append a trailing slash if appropriate, and
>> if the login fails without the slash appended. Note also that a server
>> SHOULD NOT recognize two identity URLs that differ only by a trailing
> please note that IRIs with and without trailing slash (with non-empty paths) are indeed different. Most servers are configured
> to accept requests with a missing trailing slash and silently 301 REDIRECT you to the correct IRI.
> I am a bit lost concerning empty path arguments. If I try to
>> telnet proxy.example.com 3128
>> HEAD HTTP/1.1
>> host: www.livejournal.com
> I get an error. I wouldn't know how to even ask for an empty path if I were a user agent. But I assume I'd also get a 301 REDIRECT.
> So if you want to change something than add to the spec that the delegate URI (is OpenID IRI-capable?) will not be processed by
> the consumer, but 301 REDIRECTs will be followed. Which I think would be sensible to do IF it were a thing for the consumer to
> But as I understand it, it is not. Instead, the delegate URI is taken as-is and the OpenID-server is asked whether the user in
> questions owns these URI. I'm not sure if it should be up to the client, to the server or to none of them to check for redirects
> on the delegate URI. To my understanding of the current specs the delegate URI does not even have to exist or belong to the user
> or anyone at all. All that's required is that the claimed identity uses this as a token to give to the OpenID-server, which then
> does whatever he wants with it (usually checking if he can confirm a relationship between the user and the URI).
The only problem with this is, the consumer has no need to pull up the
consumer to pull up that delegate url. The consumer just sends the value
of openid.delegate to the location specified in openid.server. Correct
me if I'm wrong, but I believe that the url specified in openid.delegate
need not necessarily resolve to a valid page so long as the server is
capable of asserting an identity for that URI. If it was made so that
consumers had to follow 301 REDIRECTs, then you would be forcing the
consumer to make a second request for no reason other than to see if the
server responds with a redirect.
Now, if it was made that openid.server is optional if a openid.delegate
is present, (the consumer would use the openid.server specified at the
delegated url) then something like this would be a little more feasible.
As it stands right now, just make sure you have the full canonical url
in your openid.delegate (you only have to set it once, anyway) or hope
that eventually Livejournal will start asserting urls in the form of
http://www.livejournal.com/users/username in addition to the trailing
slash version. (not likely)
Daniel E. Renfer (http://kronkltd.net/)
More information about the yadis