[OpenID] thoughts on a consumer driven idp affiliate program
mart at degeneration.co.uk
Tue Jan 9 18:05:15 UTC 2007
Lukas Rosenstock wrote:
> If the URL to a page that includes an OpenID login form contains the key
> openid_url with a valid OpenID URL as value in its query, this page SHOULD
> [...] immediately redirect to the IdP to verify the identity
While this is not strictly the case, this is shaving far too close to
"GET request performing an action" for my liking. The actual action of
initiating the login request (which causes a shift in state at both the
RP and the OP) should always be done by the user hitting a "Log In"
button; I don't want to get to the situation where I follow a random
link to some other site and suddenly I've implicitly initiated a login
I have no problem with pre-populating the login box, however.
I probably also wouldn't take such issue with Site A containing a button
titled "Log in to Site B" which causes a POST request to Site B which
initiates the login there. It's that it's a POST request initiated by a
button press that I'm adamant about, for the sake of keeping the UI sane
and as predictable as possible.
(If two sites want to co-operate to do something sub-optimal they can go
right ahead. We shouldn't spec anything of that sort as a standard,
More information about the general