URL canonicalization

Brad Fitzpatrick brad at danga.com
Wed Sep 14 14:58:08 PDT 2005

URL canonicalization isn't an OpenID-specific issue.

But as a rule:

-- protocol matters.
-- case of domain doesn't
-- you can remove :80 for http or :443 for https
-- add a slash if none exists
-- follow redirects until you reach a dead-end.

But any other difference you must treat as a new identity.

On Wed, 14 Sep 2005, Dan Libby wrote:

> Hi, in my database, I need to uniquely keep track of visitors that are
> logging in via remote OpenID servers.  The best key available is their
> identity url.  But that leaves me with a question about how exactly to
> canonicalize it, that the spec does not clearly address.
> The spec says:
> "Note that the user can leave off "http://" and the trailing "/". A
> consumer must canonicalize the URL, following redirects and noting the
> final URL. The final, canonicalized URL is the user's identity URL."
> Okay, so case-insensitivity is fairly obvious. I'm already lower-casing
> everything.  But what about http vs https?    For example, should
> "https://sally.people.com/" be treated as a separate identity from
> "http://sally.people.com/"?    Or should the protocol be ignored?
> I suppose the issue can be broadened to: the spec is a bit vague about
> canonicalization of identity URLs.  Can we get clarification?
> thanks,
> Dan Libby

More information about the yadis mailing list