Search code examples
openididentitydelegationopenid-providerindieweb

Are URLs (not domains) suitable for OpenID 2.0 identities?

I have previously used OpenID 2.0 identities and delegation [1] in the context of indieweb use-cases, where there is an assumption that each user controls a domain. So an identity would look like https://example.com

Can an OpenID 2.0 identity take the form of a URL, rather than just a domain? For example, both https://example.com/alice and https://example.com/bob would be:

  1. valid, independent identities
  2. could each delegate to a separate identity provider

[1] Not OpenID Connect, which does not support delegation

Solution

  • User-supplied identifiers must be normalized. If the input gets treated as HTTP(S) URL:

    1. Use http if no scheme is specified
    2. Strip off the fragment (including the #)
    3. Follow redirects
    4. Normalize the destination URL according to RFC 3986

    Appendix A.1. gives some normalization examples: the inputs example.com and http://example.com would become http://example.com/.

    So an identifier can’t be just a domain, it has to be a URL. And there is no relevant difference between the URLs https://example.com/ and https://example.com/foo. This means it’s perfectly fine to provide multiple identities under the same host/domain.