Our identity URLs are indeed sent as http, which is because before when OpenID was
introduced into Fedora many, many moons ago (before my time), it was done so without HTTPS
for identity URLs, and changing this afterward would break every account assignment at
every remote site, which would leave many users very confused and annoyed.
Note that these identity URLs are only requested once in the protocol, and only by the
Relying Party (Zanata), which means that the only possible attack would be a man in the
middle between the Zanata servers and Fedora's network for the discovery.
The OpenID endpoint, which sends all data including the signatures, is always served over
HTTPS, just like the second discovery step.
Do note that we *also* provide all identity URLs over HTTPS, e.g.
If the Zanata team is willing to update all account assignments on your end, I can make us
serve https identity urls to you.
Alternatively, you can just rewrite the http identity url to https on your end when
verifying, and that would work without any changes on our end, since all the certificates
are in place to serve them.
Feel free to let me know which you prefer.