Should I store the connection scheme, http or https, for an OpenID when someone logs in into my web site? Or just what comes afterward: http://pupeno.com or pupeno.com?
+4
A:
In OpenID, the person logging in is claiming a URI. As such, you should store the entire claimed URI, scheme and all.
(https://joeuser.example.com/ might be an entirely different page from http://joeuser.example.com/, for example.)
Edit: per question in comments: how to handle partial URLs;
For partial urls, like example.com instead of http://example.com, there is a OpenID standard URI normalisation which must be performed on (all) user input before authentication.
This is based on Section 6 of RFC 3986 for commonality with other systems.
Some examples are in Appendix A1 of the OpenID 2.0 spec.
Stobor
2009-07-24 06:02:54
In addition, you must consider the entire URI (except for the scheme and host name) as case *sensitive*. For example http://a.com/b must be considered totally different from http://a.com/B. Since scheme and host name are case INsensitive, I recommend you just ToLower those parts before storing or comparing OpenIDs so you can be case-sensitive across the whole string.
Andrew Arnott
2009-07-24 13:49:06
What do I do with users, that like me, that only type "pupeno.com"? Do I just add http:// in front of it?
J. Pablo Fernández
2009-07-26 08:55:56
A:
You should note that XRI's which start with an = or @ symbol are valid OpenID identifiers (they can also be embeded within a proxy server ie. http://xri.net/=example) . In that case you should store the i-number or canonical URI.
null
2009-08-04 21:23:06