URL canonicalization

[Dan Libby]

Hi Zefiro.

Zefiro wrote:

>Hi, List
>  
>
>>It is NOT clear whether the claimed identity, the canonical identity URL,
>>or the delegate identity URL should be considered by consumers to be the
>>unique individual.  I'd argue for claimed identity, but others may
>>disagree.
>>    
>>
>I second this. Claimed identity is what the user uses for login, and can choose to use, and probably has choosen on purpose.
>  
>
I'm not so sure.  See below.

>We discussed already how the logged in users should be displayed, and apart from possible self-chooseable additional username
>and avatar, the OpenID-Identity-URL must be shown. There also I'd like to see the claimed identity, just the way I entered it in
>the login field. (when a link is used for the identity, the href may or should point to the canonical URL - at least the
>protocoll is necessary)
>
>Since this is an issue many projects will face, I'd recommend adding it to the spec:
>a) to display the OpenID identity exactly as typed in by the user (perhaps even including given case of domain names)
>b) to use exactly this as identification ('primary key') in the database
>  
>
It seems cleaner to me to use the canonical identity as primary key. 
That way, you allow the user to enter eg:
"http://sally.people.com/" the first time and then just
"sally.people.com" the second time, and they both point to the same record.

You could still display ( or even store ) whatever the user entered as a
"pretty" identifer.

>c) to allow consumers to handle cases where a canonicalisation of an known identity and the claimed identity would be equal, but
>the noncanonical version isn't, to propose the user the known version as suggestion
>  
>
Seems like a redundant step ( from the user's viewpoint ).

>d) to encourage consumers who use the OpenID identity for their own profile managemant (e.g. the first login automatically
>creates a local user, for local settings etc) to support changing or adding multiple identities to the same profile. (of course
>only if the users can provide a sucessful claim for both identities)
>  
>
While nice, this seems optional, and outside the scope of the spec.

>PS: it could be sensible to put a warning sign for consumers in the spec that the OpenID identity is user-entered data and may
>contain escape codes (sql/html injection) and should be treated with some care. This should be repeated in the documentation of
>OpenID-libraries, since it affects the whole client code.
>  
>
I second that.

>*purrrrrr*
>
>  
>