{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 傲 的问题《Should I distinguish OpenIDs based on protocol pre》','https://www.manongdao.com/q-1361685.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have implemented a straightforward OpenID support for my ASP.NET app with DotNetOpenAuth. Yet I recently realized that the implementation was treating http://johndoe.example.com/ as a distinct user compared to https://johndoe.example.com.
This lead to quite a few confused users. I am unsure what to do at this point. Is this a bug or a feature?
Indeed, I can consider this behavior as a feature: if the user specifies the HTTPS, the user might not want the system to accept HTTP auth in the first place.
On the other hand: if the user specifies HTTPS out of sheer cluelessness (the casual web visitor is clueless concerning the purpose of the "S" part), then rejecting it's authentication attempt is confusing.
What is considered as the best practice?
Theoretically http and https identities could be different. Practically (as implemented by the providers in the real world) they shouldn't be.
StackOverflow does not differentiate between http://abdullin.myopenid.com and https://abdullin.myopenid.com, so the solution should probably work for the 99% scenarios.
Yes - they are completely different and should be treated as so.
The recommendations to OP's is to always use https but that isn't always the case (just now).