OpenID login via google for same user generates 2 different openid urls

[rgrp]

This has been noted twice in the last couple of weeks.

Checking around my guess is this is due to someone logging in to www.ckan.net and ckan.net. Google generates openid based on the RP (requesting party) which is the requesting domain url unless the openid.realm is set. See:

• ​http://groups.google.com/group/google-federated-login-api/web/the-most-important-technical-issue-in-using-the-google-accounts-api?pli=1
• ​http://stackoverflow.com/questions/3549953/how-to-get-unique-identifier-from-openid-google

To fix this we should set the openid.realm (not sure how atm).

If this is not possible an alternative is to make sure we redirect all users to a single site url (perhaps using ckan config option site_url, or doing this in apache).

Cost: 1h

[pudo]

It seems like even with openid.realm set we could only create two "zones": *.ckan.net and ckan.net. We do not want *.ckan.net because it interferes with ccCKANs.

My vote for the moment would be to 303 www.ckan.net to ckan.net.

[rgrp]

I agree with pudo (though it would not be the end of the world if these were treated as the same realm!). I've now created a permanent redirect for www.ckan.net to ckan.net.

    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^www\.ckan\.net$ [NC]
    RewriteRule ^(.*)$ http://ckan.net$1 [R=301,L]

[rgrp]

Listing as wontfix now since:

1. Have workaround
2. Better for most sites to converge on a single domain anyway (for SEO etc) -- via std redirect approach or otherwise
3. Seems problematic to fix this via openid realm