[Python-Dev] Python wiki

Scott Dial scott+python-dev at scottdial.com
Mon Sep 27 06:30:30 CEST 2010

On 9/26/2010 11:45 PM, R. David Murray wrote:
> On Sun, 26 Sep 2010 21:56:20 -0400, Scott Dial <scott+python-dev at scottdial.com> wrote:
>> On 9/26/2010 3:12 AM, Martin v. Loewis wrote:
>>> Preventing the browser from prompting the user on the chance they
>>> might want to enter an OpenID is not possible, and stopping to use
>>> basic authentication is not feasible.
>> In theory, you could catch usernames that started with "http://", but I
> No, Martin really meant "not possible": once basic auth is started,
> the browser prompts for username and password and you are in basic-auth
> land thereafter; the web server has *no way* to tell the browser to
> *stop* using basic auth.

I agree that once you reply with a 401 that you will prompt the user,
but my point was what "username" means in the Authorization header is
open to interpretation by the HTTP server and/or script handling the GET

>> imagine that only "ultra geeks" know their URIs (I have no idea what the
>> URI for a Google account is). But, I don't see this as being worthwhile
> Well, my OpenId is 'david.bitdance.com', so even if you could get around
> the basic auth problem, looking for "http://" wouldn't work.

That's actually not a valid OpenID[1], but the OpenID specification says
a relaying party "MUST" normalize identifiers[2] (in this case,
prepending the "http://"). I believe bugs.python.org does this by
checking for a username first(?), and failing any matches, it normalizes
it for OpenID discovery. Otherwise, I can always use the canonical form
of my ID "http://scottdial.com" to login (assuming ':' and '/' are
illegal characters for usernames).

I say all this not with the intent of saying pypi *needs* this, but to
refute the notion that OpenID must be clumsy to use.

[1] http://openid.net/specs/openid-authentication-2_0.html
    An Identifier is either a "http" or "https" URI, (commonly referred
to as a "URL" within this document), or an XRI (Reed, D. and D. McAlpin,
“Extensible Resource Identifier (XRI) Syntax V2.0,” .) [XRI_Syntax_2.0].

[2] http://openid.net/specs/openid-authentication-2_0.html#normalization
3.  Otherwise, the input SHOULD be treated as an http URL; if it does
not include a "http" or "https" scheme, the Identifier MUST be prefixed
with the string "http://". If the URL contains a fragment part, it MUST
be stripped off together with the fragment delimiter character "#". See
Section 11.5.2 (HTTP and HTTPS URL Identifiers) for more information.

Scott Dial
scott at scottdial.com
scodial at cs.indiana.edu

More information about the Python-Dev mailing list