1

I have previously used OpenID 2.0 identities and delegation [1] in the context of indieweb use-cases, where there is an assumption that each user controls a domain. So an identity would look like https://example.com

Can an OpenID 2.0 identity take the form of a URL, rather than just a domain? For example, both https://example.com/alice and https://example.com/bob would be:

  1. valid, independent identities
  2. could each delegate to a separate identity provider

[1] Not OpenID Connect, which does not support delegation

lofidevops
  • 15,528
  • 14
  • 79
  • 119

1 Answers1

1

User-supplied identifiers must be normalized. If the input gets treated as HTTP(S) URL:

  1. Use http if no scheme is specified
  2. Strip off the fragment (including the #)
  3. Follow redirects
  4. Normalize the destination URL according to RFC 3986

Appendix A.1. gives some normalization examples: the inputs example.com and http://example.com would become http://example.com/.

So an identifier can’t be just a domain, it has to be a URL. And there is no relevant difference between the URLs https://example.com/ and https://example.com/foo. This means it’s perfectly fine to provide multiple identities under the same host/domain.

Community
  • 1
  • 1
unor
  • 92,415
  • 26
  • 211
  • 360