OpenID/SSL
Cor Bosman
cor at xs4all.nl
Fri Jan 18 08:23:30 PST 2008
Hi all, ive been wondering what the best practices are for using SSL
with OpenID. Since people can enter their OpenID without http:// or https://
im assuming that OpenID URLs are generally non-SSL.
So how can I have non-SSL OpenIDs authenticate on an SSL website?
I was thinking that this should work:
<link rel="openid.server" href="https://my.openid.server/index.php/serve">
<link rel="openid.delegate" href="http://my.openid.server/username">
But, if I now enter 'http://my.openid.server/username' in an OpenID enabled
site, it doesnt actually go to https://my.openid.server/index.php but to
http://my.openid.server/index.php. Why is that?
How do other people generally make sure that authentication happens on
an SSL site? Do I need to seperate the OpenID URLs from the OpenID
authenticating server address? Right now both are the same.
Im using a version of php-server adapted to authenticate against our own
radius server.
Cor
More information about the Dev
mailing list