A user with an '@' sign in their username will be given an OpenID identifier of:
http://openid.example.com/users/user@domain
however, they would also be able to use an identifier of:
http://openid.example.com/users/user%40domain
with the '@' sign percent encoded. We should make this resource a permanent redirect to the encoded version to prevent consumers from seeing multiple identifiers for the same user.
- Discovered while testing
-
CWD-3065 Accept 'GET' requests to the OpenID endpoint
-
- Closed
-
Detecting the exact request used proved unreliable. This fix adds the openid.delegate header back and includes openid2.local_id, both with the same canonical form of the identifier shown in the UI.