Normalization or What Is Your OpenID?

While I know a little bit about OpenID I never really cared much about the technical background, the specification, and other related issues. I am an end user and I just want the relying party redirecting me to my provider which then should do some funny authentication schemes happening in the background, sending me back to the relying party, and eventually I will be logged in there. And fortunately this is exactly what happens most of the time.

Normalization

Most of the time? Not always? Well, sometimes things start to go wrong right in the beginning of a user’s OpenID experience: when typing in their OpenID in the relying party’s form field. Remember, an OpenID is a URL, something like this: http://youropenid.com/.

However is there a difference if you type:

• http://youropenid.com or
• youropenid.com

There shouldn’t be a difference but sometimes there is. According to the OpenID 2.0 specification relying parties must normalize those inputs to http://youropenid.com/. There are some more examples given in the specification, so have a look at them as well. Normalization was mentioned in the OpenID 1.1 specification as well, but certainly not as clearly as in the OpenID 2.0 one.

User Experience

However there are some relying parties out there which have not implemented normalization properly or at all. And this is a problem to end users like me. If I create an account with http://youropenid.com and the next time I log in with http://youropenid.com/ I have created two accounts. Not a good idea. The only difference is the trailing slash. That’s not obvious or understandable for non-techie users. I have learned about that just today as well.

OpenID still suffers from claims to be too technical and not being particularly user friendly. Lack of normalization just adds to those claims. Although people use social networks and probably know how to access their profiles there, a URL is still rather uncommon to use. So relying parties should do their best to make users’ life as comfortable as they can. In the meantime it’s probably best for end users to always add http:// and to remember if they used a trailing slash or not.