I'm implementing a login system using OpenID.
Subject Identifier
An identifier for a set of attributes. It MUST be a URI. The subject identifier corresponds to the end-user identifier in the authentication portion of the messages. In other words, the subject of the identity attributes in the attribute exchange part of the message is the same as the end-user in the authentication part. The subject identifier is not included in the attribute exchange.
URI are quite larges in definition, it can be http://, but also gopher://.
I'm sure gopher is not a valid URI protocol, but then, excluding http(s), what else is allowed as a subject identifier from the OpenID protocol ?
You're quoting the wrong spec. The openid specification, section 7.2 says:
7.2. Normalization
The end user's input MUST be normalized into an Identifier, as follows:
- If the user's input starts with the "xri://" prefix, it MUST be stripped off, so that XRIs are used in the canonical form.
- If the first character of the resulting string is an XRI Global Context Symbol ("=", "@", "+", "$", "!") or "(", as defined in Section 2.2.1 of [XRI_Syntax_2.0], then the input SHOULD be treated as an XRI.
- Otherwise, the input SHOULD be treated as an http URL; if it does not include a "http" or "https" scheme, the Identifier MUST be prefixed with the string "http://". If the URL contains a fragment part, it MUST be stripped off together with the fragment delimiter character "#". See Section 11.5.2 for more information.
- URL Identifiers MUST then be further normalized by both following redirects when retrieving their content and finally applying the rules in Section 6 of [RFC3986] to the final destination URL. This final URL MUST be noted by the Relying Party as the Claimed Identifier and be used when requesting authentication.
From the third point we can infer that the identifier must be either a http(s) URL or an XRI.