On 5/22/12 9:25 AM, Jeff Schnitzer wrote:
> This doesn't really answer the OP's question: Will the system follow
> HTTP redirects?
Currently we do not. Anything other than a 200 application/json response
to the request for the well-known file is treated as a non-IdP.
> Why shouldn't the redirect work? Indeed, why does the "authority"
> delegation mechanism exist at all when HTTP provides a built-in
> delegation mechanism in the form of redirects? HTTP libraries already
> handle redirects and loop detection; why complicate application code
> by duplicating the same logic?
Great question and a worthwhile discussion to have.
There's a couple of reasons why explicit authority delegation seems like
a good idea. The main one is that we didn't want authority delegation to
be something that could happen by mistake. Lots of folks redirect entire
domains, precisely as you describe. Does an HTTP redirection
automatically imply a delegation of authority over user authentication?
I don't think so.
Now, the use case you bring up is an interesting one. There are a few
ways we could address this. Francois is going to be thinking about our
discovery story in the next few weeks.
One possibility: a DNS fallback (e.g. an SRV record) for declaring your
Persona parameters. Would that solve the problem?
-Ben