OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)

John Kemp john.kemp at mac.com
Sat Nov 18 03:17:32 UTC 2006


Hi Johnny,

Johnny Bufu wrote:
>
> On 17-Nov-06, at 11:13 AM, John Kemp wrote:
>> I /think/ the limit you are talking about is that regarding the size of
>> the URL. The reason you might approach or exceed that limit would be if
>> you were sending an HTTP GET with parameters appended to the URL. The
>> solution to that issue is to encode the data as an HTTP FORM POST,
>> which, AFAIK has no such limit. As I understand it, that would be a
>> separate issue than whether the protocol is transacted via HTTP 3XX
>> redirects through the user-agent, vs. making the user-agent do the
>> redirect "manually".
>
> There are a few issues with issuing redirects to POST requests:
>
> - According to the HTTP RFC, user agents receiving a 3XX redirect in
> response to a POST request MUST NOT automatically redirect the request.

Yup, if you use a 302 redirect, which is probably what you'd want, then
there is that potential. You can use 303 or 307 (as mentioned in 5.2.1
of draft 10 of the spec.) in order to better control that.

>
> - See the note in RFC: even though the user-agents aren't supposed to
> change the method, some perform a GET on the redirect URL, even though
> the initial request was a POST.
>
> - In the specific case of OpenID authentication messages, the server
> issuing the redirect needs to send data (the OpenID message) to its
> peer, via the user agent. I don't see how the user-agent can be
> instructed via a redirect to use the POST response at the redirect URL.

Wouldn't the IdP would issue also a 302 redirect with its response
message to the RP? Of course, the RP would have to remember what
location the user-agent originally requested, in order to give the right
content to the user-agent.


As far as I can tell, HTTP redirects are already supported in some
current (pre 2.0) OpenID implementations, so I'm still not sure what the
problem is with allowing HTTP redirect implementations in OpenID 2.0.

Cheers,

- John
>
>
> Johnny
>
>





More information about the specs mailing list