How is an OpenID Client supposed look up the OpenID delegate?

Question

Hello everybody. I just noticed that stackoverflow had problems with my OpenID delegate and I noticed that this was caused by my website not using a <html> and <head> section.

Now even though this is valid HTML the question is if it's valid for OpenID delegate lookups. The official stuff I was able to find on the website just talks about “the head section” of the HTML document, which however by HTML4/5 standards is implicit.

I'm now interested if the bug is in the way I declared the delegate or the stackoverflow OpenID implementation.

The not working version:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<title>Index &raquo; Armin Ronacher</title>
<link rel="openid.server" href="http://www.myopenid.com/server"&gt;
<link rel="openid.delegate" href="http://mitsuhiko.myopenid.com/"&gt;
<meta content="Zine" name="generator">
<!-- more link/meta stuff here -->

<!-- page contents here -->
<div class="header">

The working version:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head>
<title>Index &raquo; Armin Ronacher</title>
<link rel="openid.server" href="http://www.myopenid.com/server"&gt;
<link rel="openid.delegate" href="http://mitsuhiko.myopenid.com/"&gt;
<meta content="Zine" name="generator">
<!-- more link/meta stuff here -->
</head>

<!-- page contents here -->
<div class="header">

<!-- at the very end of the page -->
</html>

Answer 1

I was able to find on the website just talks about “the head section” of the HTML document, which however by HTML4/5 standards is implicit.

Where did you find this? I searched through the standards and didn't find any mention of the "head section" (it talks about the "head element"); the closest I came on a broader search was that most implementations are lax in requiring an explicit <html> and <head>, but this was presented more as a case of magnanimously accepting non-compliant documents than as a part of the standard.

Answer 2

I think it is assumed that an HTML page should have a HEAD tag. Most do, even if it's not strictly required by some standards.

However, the OpenID standard seems to require its tags to be placed in the HEAD tag. Do other sites detect your OpenID when it's not in HEAD?

Answer 3

The bug is in your HTML page that declares the delegate. The HTML and HEAD tags are required to be around the delegate tag for a very good security reason. If this were not required, then many web pages like wiki's and blog pages could be hijacked for their identity merely by leaving a comment that included a specially crafted tag.

The "head section" referred to by OpenID is indeed the HEAD tag in an HTML page. Although I haven't read the entire beefy thing, I'd be drop-dead surprised if the HTML spec itself didn't mandate a surrounding HTML tag, and that all META tags must be within a HEAD tag. In my opinion, the OpenID spec doesn't go into detail about all the HTML requirements because it's a spec about OpenID and not HTML, but "head section" is a reference to the HTML spec, just as it references many other specs.

In conclusion, I believe StackOverflow.com is doing the right thing.

Answer 4

I found this solution on getopenid.com :

"If you have a blog or homepage you'd like to use as your OpenID, you don't have to set up a server! Just copy the following into the head part of your HTML or XHTML, and use that URL.

link rel="openid.server" href="http://getopenid.com/action/authenticate/"
link rel="openid.delegate" href="http://getopenid.com/YOURIDENTITY/"

Note that you cannot use secure signons with this URL unless you have your own SSL server. Sites will also see you as a different person than when you directly use your identity from GetOpenID.com."

I think you have to replace getopenid.com with your OpenID provider and YOURIDENTITY with your OpenID identity.