When are and aren't two URLs the same? (ports)

Martin Atkins mart at degeneration.co.uk
Wed Apr 19 18:06:44 UTC 2006


Thomas Broyer wrote:
>  - an Identity Provider must always return/show/tell the same identity
> URI. I.e. in an OpenID context, there should always be an
> openid.delegate, even if it's "a priori" equivalent to the document
> URI.

Including openid.delegate doesn't really change much as far as URL
normalization goes. A conforming relying party must use the entered URL,
not the delegate URL, as the user's "primary key".

This is by design. Otherwise when I log in as
http://mart.degeneration.co.uk/ I'd end up being shown as my TypeKey
identity, thus defeating entirely the purpose of delegation.

The next logical thing is to specify a second "canonical URL" somewhere,
but then we just move this URL identity problem elsewhere. If the user
enters frank.livejournal.com and the returned document says the
canonical URL is http://exampleusername.livejournal.com/ the relying
party must detect this, which involves yet another game of "what are two
URLs the same?"

OpenID's mechanism for non-trivial URL normalization is redirection. If
the user enters whatever.com/user and the server responds with a
redirect to http://whatever.com/user/ then it is this URL that the
server must use, assuming that OpenID auth for the new URL succeeds.

> Now, how about IRIs?
> Is http://www.atemschutzunfälle.de/ equivalent to
> http://www.xn--atemschutzunflle-7nb.de/ ?
> 

The former must be transformed into the latter in order to request it
anyway, so I think it's safe to say that this case comes into the same
category as the adding of http:// to the start.



More information about the yadis mailing list