OpenID on

I’ve finally finished up the signup for Rosebleed. The workflow is what you’d expect – OpenID box on the login form, if the given URL isn’t recognized then it redirects to the signup form and prepopulates it with the sreg fields.

I did notice a strange behaviour in OpenID; I’m not yet certain if I missed it in the spec or if it’s left to one’s judgement (note to self: read the spec again)… Anyway, here’s what happens:

– Say I sign up with “”. This site delegates to my ClaimID page, so the openid.identity response is, and this is what I actually use to identify the user.
To my thinking, I should be able to log in using “” (since that delegates to my ClaimID), or, or These URLs all end up at the same identity, so they should be equivalent — and that’s how I implemented it on .

I’ve noticed other OpenID-enabled sites handle this differently. On the OpenID Directory for instance, I first signed up as “”. I’ve gotten in the habit of logging in using; but when I try that at OpenID Directory, I get an error message that my email address is already registered to my ClaimID URL.

So, barring finding that the spec keeps “equivalent” OpenID URLs separate, I think I’m in the right here; always open to feedback though.

Update [2008-03-19]: I’ve checked the spec, and as it turns out, I’m actually in the wrong:

So, to use as their Identifier, but have Consumers actually verify with the Identity Provider located at, they’d add the following tags to the HEAD section of the HTML document returned when fetching their Identifier URL.

Now, when a Consumer sees that, it’ll talk to and ask if the End User is, never mentioning anywhere on the wire.

The main advantage of this is that an End User can keep their Identifier over many years, even as services come and go; they’ll just keep changing who they delegate to.

Hacking with hKit

I’ve been using hKit recently for several projects, among them trying to figure out why ’s user profiles won’t import at Satisfaction. In testing, I found that Technorati profiles also don’t import.

I tracked it down to two separate issues:

  1. Technorati uses DoubleClick advertising, which uses document.write() to drop new scripts into the page. This script-within-a-script seems to confuse the w3’s tidy proxy and breaks everything.
    I managed to work around this with a big ugly hack in hkit.class.php which attempts to detect the document.write() and fix the damage. It’s pretty ugly and probably pretty delicate as well, but it’s something.
    Feedback is always welcome: Modified hKit 0.5
  2. Satisfaction uses AJAX to pull the hCard info through a script on their server. The script seems to have the same shortcoming as the Microformatic tool with URLs containing a ?. This one was an easy fix on my end; I updated Rosebleed’s profile page to accept the username either from the GET string (profile.php?user=silvermoon82) or from pathinfo (profile.php/silvermoon82). The hCard fetcher works with the new format links, so all is well in the universe.

Social networking updates on Rosebleed

I’ve been updating the features on [tag]Rosebleed[/tag]. Most of the changes are not immediately visible, but they’re nifty:
I’ve rolled out [tag]microformat[/tag] markup all over the site – user profiles are now [tag]hcard[/tag]-enabled and the friendslist is marked up with [tag]hCard+XFN[/tag].
I also implemented [tag]FOAF[/tag] profiles with autodiscovery, much like that provided by LiveJournal (for a cool FOAF tool, check out the FOAF Explorer).

Still in the works on the SN side is implementing [tag][/tag] for logins and order tracking, and hCard, hCard+XFN and FOAF profile-pulling.