OpenID and changing URLs
Kevin Turner
kevin at janrain.com
Wed Feb 8 01:58:05 UTC 2006
On Tue, 2006-02-07 at 19:44 +0000, Martin Atkins wrote:
> An issue came up on LiveJournal recently due to the mass-changing of
> everyone's URLs to a short form. It's become clear that OpenID's
> behavior in this condition is sub-optimal.
Perhaps this is the reason that using redirects to obtain a "normalized"
form of the user's ID has felt kinda funny to me.
> Is it safe/reasonable to specify that a permanent redirect can be used
> for this purpose? That is, require consumer sites to update their
> records to allow the new URL to operate in place of the old one somehow.
Implicitly changing authentication identifiers in your application
database based on what type of redirect code a web server decides to use
some day sounds like a bad idea to me. It increases the demands on the
application, and anything that results in changes in the consumer's auth
database has the potential to open up new ways to attack the system that
I haven't thought through yet.
So, I still have to give some thought to your alternatives, but the
answer I feel best about so far is "don't do that." If you are an
OpenID service provider, do not introduce changes to your service that
create an incompatible experience for your users. I don't think that's
at all an unrealistic thing to ask of your service provider.
I know LiveJournal was under a great deal of pressure to make some
changes in a very short timeframe and they did it for the good of all
mankind, but really, sucks to break stuff. Is there any way we can
patch it? i.e. can the old URLs still return OpenID pages? Maybe, with
some sort of javascript hack to redirect clients that aren't OpenID
consumer to the new user page, but that definitely has trade-offs of its
own. (i.e. it's probably slower for the users, you just broke all the
spiders, etc.)
This brings us back to the issue that came up with Jens's question a few
weeks back. Separation of concerns is good systems practice; maybe it
is better not to have your identity information at the same URL as your
blog portal with its dynamically generated hyperspace-aggregated
interactively-themed content. That way you can fix your blog without
breaking all your authentication schemes.
> The wanted result is that somehow the user should be able to indicate
> to consuming sites that his identity URL has changed but he is still
> the same person.
This is an issue that I hope all designers of consumer applications
think about: Your users may want to change their OpenID without changing
their account. OpenID does provide a handy layer of indirection with
"openid.delegate" (and YADIS lets you define fallback servers, which is
even better) but there are still cases they don't cover. We can put
more magic meaning in redirect codes to handle this case, but there are
others. And I think it is going to come down to the application to
handle that.
Cheers,
- Kevin
More information about the yadis
mailing list