我应该根据协议前缀区分OpenID吗？ http vs https [英] Should I distinguish OpenIDs based on protocol prefix or not? http vs https

问题描述

我使用 DotNetOpenAuth 为我的ASP.NET应用程序实现了直接的OpenID支持。然而，我最近意识到，与 https：// johndoe相比，该实现将 http://johndoe.example.com/ 视为一个独特的用户。 example.com 。

I have implemented a straightforward OpenID support for my ASP.NET app with DotNetOpenAuth. Yet I recently realized that the implementation was treating http://johndoe.example.com/ as a distinct user compared to https://johndoe.example.com.

这导致了相当多的混淆用户。我不确定此时该做什么。 这是一个错误还是一个功能？

This lead to quite a few confused users. I am unsure what to do at this point. Is this a bug or a feature?

确实，我可以将此行为视为一项功能：如果用户指定了HTTPS，则用户可能不希望系统首先接受HTTP身份验证。

Indeed, I can consider this behavior as a feature: if the user specifies the HTTPS, the user might not want the system to accept HTTP auth in the first place.

另一方面：如果用户指定HTTPS纯粹是无能为力（随意的网络访问者是无能为力的关于S部分的目的，然后拒绝它的认证尝试令人困惑。

On the other hand: if the user specifies HTTPS out of sheer cluelessness (the casual web visitor is clueless concerning the purpose of the "S" part), then rejecting it's authentication attempt is confusing.

什么被认为是最佳做法？

What is considered as the best practice?

推荐答案

理论上，http和https身份可能会有所不同。实际上（由现实世界中的提供商实现）它们不应该是。

Theoretically http and https identities could be different. Practically (as implemented by the providers in the real world) they shouldn't be.

StackOverflow不区分 http://abdullin.myopenid.com 和 https://abdullin.myopenid.com ，因此解决方案可能适用于99％的情况。

StackOverflow does not differentiate between http://abdullin.myopenid.com and https://abdullin.myopenid.com, so the solution should probably work for the 99% scenarios.

这篇关于我应该根据协议前缀区分OpenID吗？ http vs https的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！