Should OpenID be distinguished based on a protocol prefix or not? http vs https

Question

Should OpenID be distinguished based on a protocol prefix or not? http vs https

I implemented direct OpenID support for my ASP.NET application with DotNetOpenAuth . However, I recently realized that the implementation treated http://johndoe.example.com/ as a separate user compared to https://johndoe.example.com .

This leads to a contented amount of confusing users. I'm not sure what to do at this moment. Is this a bug or function?

In fact, I can consider this behavior as a function: if the user specifies HTTPS, the user may not want the system to accept HTTP authentication in the first place.

On the other hand: if the user specifies HTTPS due to pure immateriality (the casual web visitor does not know about the "S" part), then rejecting the authentication attempt is confusing.

What is considered best practice?

+4

http https openid usability

Joannes vermorel Apr 6 '10 at 10:02

source share

2 answers

Yes - they are completely different and should be considered as such.

Recommendations for the OP is to always use https, but this is not always the case (now).

+4

weblivz Apr 6 '10 at 10:38

source share

Rinat abdullin · Accepted Answer · 2010-04-06T10:16:16+0000

Theoretically, the identifiers http and https can be different. In practice (as implemented by providers in the real world), they should not be.

StackOverflow is no different from http://abdullin.myopenid.com and https://abdullin.myopenid.com , so the solution should probably work for 99% scenarios.

Should OpenID be distinguished based on a protocol prefix or not? http vs https

More articles: