Issue 526: Unable to resolve two seperate "users" with http://* vs https://* OpenID urls
Status:  WontFix
Owner: ----
Closed:  Apr 2010
Reported by OdinG...@gmail.com, Apr 7, 2010
Affected Version: 2.1.2.2

What steps will reproduce the problem?
1. Register a user with http://openidurl
2. Register a user with https://openidurl

What is the expected output? What do you see instead?

I end up with two separate registered "users" in Gerrit, and haven't found
a way to correct this.

When I try to us the Account Setting -> Identities -> Link Another Identity
it just returns an error that to contact the site administrator (which is
me). Presumably this is because the OpenID URL is already registered to
another user. Unfortunately, I am un-able to delete the extra user account
(no method in Web UI). Nor am I able to delete the identity from the extra
user account (I would hope this would allow me to link it to the correct
account).

Please provide any additional information below.

Perhaps the http:// and https:// versions of the exact same OpenID URL
should be treated as "the same" so that you can't end up with two user
accounts.

Apr 24, 2010
#1 sop@google.com
Technically there is a difference between a user who
was authenticated over SSL, and one who wasn't.  The
OpenID protocol is vulnerable to man-in-the-middle
attacks unless its running over SSL and the peer's
server certificate can be trusted.

For the review.source.android.com server for example
we can only permit elevated privileges to a user if
they authenticated over SSL.

Worse, an OpenID provider could be running two very
different servers on the two ports, with different
user databases.  Canonicalizing identities under the
assumption that user accounts from port 80 are same
as users from port 443 could lead to some problems
down the road.

Best solution is to manually edit your server's DB
and remove the one account.  Or merge them together
using the merge accounts script available in the wiki
area of this project.
Status: WontFix