URL canonicalization

Zefiro work at zefiro.de
Wed Sep 14 17:20:28 PDT 2005

Hi, List

> It is NOT clear whether the claimed identity, the canonical identity URL,
> or the delegate identity URL should be considered by consumers to be the
> unique individual.  I'd argue for claimed identity, but others may
> disagree.
I second this. Claimed identity is what the user uses for login, and can choose to use, and probably has choosen on purpose.

We discussed already how the logged in users should be displayed, and apart from possible self-chooseable additional username
and avatar, the OpenID-Identity-URL must be shown. There also I'd like to see the claimed identity, just the way I entered it in
the login field. (when a link is used for the identity, the href may or should point to the canonical URL - at least the
protocoll is necessary)

Since this is an issue many projects will face, I'd recommend adding it to the spec:
a) to display the OpenID identity exactly as typed in by the user (perhaps even including given case of domain names)
b) to use exactly this as identification ('primary key') in the database
c) to allow consumers to handle cases where a canonicalisation of an known identity and the claimed identity would be equal, but
the noncanonical version isn't, to propose the user the known version as suggestion
d) to encourage consumers who use the OpenID identity for their own profile managemant (e.g. the first login automatically
creates a local user, for local settings etc) to support changing or adding multiple identities to the same profile. (of course
only if the users can provide a sucessful claim for both identities)

I think it's more worthy to allow users to have different identities with slight variations of their URL and to avoid the hassle
when the consumers concept of what two URLs are identical is not shared by the server who these identities point to, than to
handle cases of users not able to type in their identity the same every time by mistake or lack of concentration.

PS: it could be sensible to put a warning sign for consumers in the spec that the OpenID identity is user-entered data and may
contain escape codes (sql/html injection) and should be treated with some care. This should be repeated in the documentation of
OpenID-libraries, since it affects the whole client code.


More information about the yadis mailing list