OpenID and changing URLs
mart at degeneration.co.uk
Tue Feb 7 19:44:05 UTC 2006
An issue came up on LiveJournal recently due to the mass-changing of
everyone's URLs to a short form. It's become clear that OpenID's
behavior in this condition is sub-optimal.
I'm not sure at this point whether what we have here is a spec
deficiency or just poor implementations, but either way here's what I
believe to be something resembling "ideal" behavior:
* When a user logs in with a URL that returns a temporary redirect,
follow the redirect but then authenticate the user as the entered URL.
The user should be able to continue to log in with the old URL while
retaining the same on-site identity, but entering the new URL directly
will create a new identity.
Now, what about the permanent redirect case? The wanted result is that
somehow the user should be able to indicate to consuming sites that his
identity URL has changed but he is still the same person.
Is it safe/reasonable to specify that a permanent redirect can be used
for this purpose? That is, require consumer sites to update their
records to allow the new URL to operate in place of the old one somehow.
Also, does this "somehow" involve aliasing so that both continue to work
or simply renaming so that the old URL no longer works?
What happens in the case where two distinct identities "merge" with a
This issue also applies to YADIS when used for authentication, I think.
Not sure what the ramifications are for YADIS used for other purposes,
More information about the yadis