[Python-Dev] Python wiki (original) (raw)

Scott Dial scott+python-dev at scottdial.com
Mon Sep 27 06:30:30 CEST 2010

On 9/26/2010 11:45 PM, R. David Murray wrote:

On Sun, 26 Sep 2010 21:56:20 -0400, Scott Dial <scott+python-dev at scottdial.com> wrote:

On 9/26/2010 3:12 AM, Martin v. Loewis wrote:

Preventing the browser from prompting the user on the chance they might want to enter an OpenID is not possible, and stopping to use basic authentication is not feasible.

In theory, you could catch usernames that started with "http://", but I No, Martin really meant "not possible": once basic auth is started, the browser prompts for username and password and you are in basic-auth land thereafter; the web server has no way to tell the browser to stop using basic auth.

I agree that once you reply with a 401 that you will prompt the user, but my point was what "username" means in the Authorization header is open to interpretation by the HTTP server and/or script handling the GET request.

imagine that only "ultra geeks" know their URIs (I have no idea what the URI for a Google account is). But, I don't see this as being worthwhile Well, my OpenId is 'david.bitdance.com', so even if you could get around the basic auth problem, looking for "http://" wouldn't work.

That's actually not a valid OpenID[1], but the OpenID specification says a relaying party "MUST" normalize identifiers[2] (in this case, prepending the "http://"). I believe bugs.python.org does this by checking for a username first(?), and failing any matches, it normalizes it for OpenID discovery. Otherwise, I can always use the canonical form of my ID "http://scottdial.com" to login (assuming ':' and '/' are illegal characters for usernames).

I say all this not with the intent of saying pypi needs this, but to refute the notion that OpenID must be clumsy to use.

[1] http://openid.net/specs/openid-authentication-2_0.html """ Identifier: An Identifier is either a "http" or "https" URI, (commonly referred to as a "URL" within this document), or an XRI (Reed, D. and D. McAlpin, “Extensible Resource Identifier (XRI) Syntax V2.0,” .) [XRI_Syntax_2.0]. """

[2] http://openid.net/specs/openid-authentication-2_0.html#normalization """ 3. Otherwise, the input SHOULD be treated as an http URL; if it does not include a "http" or "https" scheme, the Identifier MUST be prefixed with the string "http://". If the URL contains a fragment part, it MUST be stripped off together with the fragment delimiter character "#". See Section 11.5.2 (HTTP and HTTPS URL Identifiers) for more information. """

-- Scott Dial scott at scottdial.com scodial at cs.indiana.edu

More information about the Python-Dev mailing list