Should I distinguish OpenIDs based on protocol pre

2020-07-17 04:53发布

I have implemented a straightforward OpenID support for my ASP.NET app with DotNetOpenAuth. Yet I recently realized that the implementation was treating http://johndoe.example.com/ as a distinct user compared to https://johndoe.example.com.

This lead to quite a few confused users. I am unsure what to do at this point. Is this a bug or a feature?

Indeed, I can consider this behavior as a feature: if the user specifies the HTTPS, the user might not want the system to accept HTTP auth in the first place.

On the other hand: if the user specifies HTTPS out of sheer cluelessness (the casual web visitor is clueless concerning the purpose of the "S" part), then rejecting it's authentication attempt is confusing.

What is considered as the best practice?

2条回答
兄弟一词,经得起流年.
2楼-- · 2020-07-17 05:32

Theoretically http and https identities could be different. Practically (as implemented by the providers in the real world) they shouldn't be.

StackOverflow does not differentiate between http://abdullin.myopenid.com and https://abdullin.myopenid.com, so the solution should probably work for the 99% scenarios.

查看更多
我想做一个坏孩纸
3楼-- · 2020-07-17 05:33

Yes - they are completely different and should be treated as so.

The recommendations to OP's is to always use https but that isn't always the case (just now).

查看更多
登录 后发表回答