[OpenID] thoughts on a consumer driven idp affiliate program

Martin Atkins mart at degeneration.co.uk
Tue Jan 9 18:05:15 UTC 2007


Lukas Rosenstock wrote:
> 
> If the URL to a page that includes an OpenID login form contains the key  
> openid_url with a valid OpenID URL as value in its query, this page SHOULD
> [...] immediately redirect to the IdP to verify the identity
 >

While this is not strictly the case, this is shaving far too close to 
"GET request performing an action" for my liking. The actual action of 
initiating the login request (which causes a shift in state at both the 
RP and the OP) should always be done by the user hitting a "Log In" 
button; I don't want to get to the situation where I follow a random 
link to some other site and suddenly I've implicitly initiated a login 
request.

I have no problem with pre-populating the login box, however.

I probably also wouldn't take such issue with Site A containing a button 
titled "Log in to Site B" which causes a POST request to Site B which 
initiates the login there. It's that it's a POST request initiated by a 
button press that I'm adamant about, for the sake of keeping the UI sane 
and as predictable as possible.

(If two sites want to co-operate to do something sub-optimal they can go 
right ahead. We shouldn't spec anything of that sort as a standard, 
however.)





More information about the general mailing list