Does an OpenID realm have to be the base URL of the web site?

Question

As a continuation of this question, there\'s an issue I\'m having with dotnetopenauth.

Basically, I\'m wondering if the realm specified in the RP has to be the actua

Answer 1

The answer to your question is "no". The realm can be any URL between the base URL of your site and your return_to URL. So for example, if your return_to URL is http://localhost:1903/OpenId/Authenticate, the following are all valid realms:

• http://localhost:1903/OpenId/Authenticate
• http://localhost:1903/OpenId/
• http://localhost:1903/

The following are not valid realms, given the return_to above:

• http://localhost:1903/OpenId/Authenticate/ (extra trailing slash)
• http://localhost:1903/openid/ (case sensitive!)
• https://localhost:1903/ (scheme change)

Because some OpenID Providers such as Google issue pairwise unique identifiers for their users based on the exact realm URL, it's advisable for your realm to be the base URL to your web site so that it's most stable (redesigning your site won't change it). It's also strongly recommended that if it can be HTTPS that you make it HTTPS as that allows your return_to to be HTTPS and is slightly more secure that way (it mitigates DNS poisoning attacks).

The reason for the error in the log is because your RP creates and adds a FetchRequest extension to the OpenID authentication request, but you haven't initialized the FetchRequest with any actual attributes that you're requesting.

I couldn't tell you why your app freezes though, with the information you've provided.