Draft-029
From Yadis
Motivation
If a Relying Party receives a URL1 character string as a claimed identity, but the verified identity is URL2, under which circumstances should the Relying Party accept URL2 as equivalent to URL1?
Examples:
- Do
http://example.com/joe
andhttp://example.com/joe/
refer to the same identity? - Do
http://example.com/joe
andhttp://example.com:80/joe
refer to the same identity? - Do
http://example.com/joe
andhttps://example.com/joe
refer to the same identity?
Different Yadis / OpenID / LID implementations have made different assumptions about some of these cases, which has already caused some interoperability problems (informally resolved since). The objective of this proposal is to clarify the rules.
This is not a change proposal for the Yadis 1.0 specification. Instead, we should consider it a separate proposal that may or may not be incorporated into a Yadis 1.1 spec in the future, if there will be such a thing.
I also realize that some provisions in this proposal may be controversial. If so, the Discussion page is your friend ;-)
Algorithm
To determine whether or not URL1 and URL2 refer to the same identity, URL1 and URL2 are run through the following canonization algorithm. If and only if canon(URL1) and canon(URL2) are identical character strings, a relying party is allowed to consider them the same identity.
This algorithm only covers URLs with fully-qualified domain names in the host component; identity URLs whose host components are not fully-qualified are generally discouraged, and out of scope for this algorithm. Also, identity URLs with more than one query parameter (e.g. http://example.com/foo?a=b&c=d
) are strongly discouraged and out of scope for this algorithm.)
- if the URL is internationalized (i.e. an IRI), replace it with its URI form. E.g.
http://www.atemschutzunfälle.de/
becomeshttp://www.xn--atemschutzunflle-7nb.de/
- if the protocol is
https
, replace the protocol withhttp
. - a URL that specifies port 80 or 443 (e.g.
http://example.com:80/joe
) will be converted to a URL that does not specify a port (e.g.http://example.com/joe
). - all characters in the host component are converted to lower case.
- all components of the path must be unescaped to the maximum extent possible, provided that no substring is unescaped more than once. For example, if a URL contained
%41
as a character, this character needs to be replaced by its unescaped versionA
. However, if a URL contained%2541
, it needs to be replaced by%41
, NOT byA
. Similarly, if a URL contained%20
, for the purposes of comparison this caracter needs to be replaced by a space. If the URL's query component contains a+
, it needs to be replaced by a space. - any trailing slash is discarded. For example, the URL
http://example.com/joe/
would be replaced byhttp://example.com/joe
. This conversion is performed even for URLs that refer to the top resource on a host (e.g.http://example.com
.) Note that this is only for comparison purposes.
If at the end of this algorithm, the resulting character strings are identical, the two URLs are identical for Yadis purposes.
Protocols that use the Yadis framework may assume additional equality rules. For example, a protocol may consider http://xri.net/=Example
to be equivalent to http://xri.example.net/=Example
for its own purposes, even if Yadis considers these two URLs to be different.