Martin Atkins (mart) wrote in apparentlymart,
Martin Atkins

Warning: URLs can contain at signs!

This should not be surprising to anyone, but it has apparently caught out both me and Ma.gnolia: URLs can contain at signs!

Ma.gnolia has support for one of the fledgeling attempts at a protocol for email addresses as OpenID identifiers. A few weeks ago I posted about my own experimental implementation of a different approach to the same problem. Both of us made the mistake of identifying an email address by simply looking for an at sign anywhere in the entered URL.

This is, of course, not good enough. Flickr's OpenID identifiers that are already in the wild have at signs in them. There's nothing constraining anyone else from using an at sign, either. So what is a boy to do? Time for a more restrictive regex, I guess. /^[^:/]+@[^:/]+/ ought to do the trick, I think. There is of course the big elephant in the room that all of these are breaking backward-compatibility with existing implementations that turn into

I've had on my to-do list for a while now some research to see what existing implementations do when presented with URLs like that. I'm sure it's suboptimal whatever it is, but we need to consider how existing implementations will behave if we change the rules now. In an ideal world, we'd find that current implementations all behave basically the same and we can document that as opt-in fallback behavior when "proper" email address support is not available at a particular RP.


  • The next evolution for OpenID?

    This morning at IIW Dick Hardt presented his vision for solving the issue whereby a user is dependent on his OpenID provider being up and non-evil.…

  • HTML 5 vs. Yadis

    One of the ways that the Yadis specification allows for the XRDS document location to be declared is via the X-XRDS-Location header embedded via a…

  • Client Certificates: It's easy, man! recently added support for logging in with client certificates. I've heard people talking about client certificates lots of times, but…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.