IdP's Advertising Both http and https

Dick Hardt dick at sxip.com
Sun Nov 12 23:12:32 UTC 2006


On 9-Nov-06, at 7:45 AM, Rowan Kerr wrote:

> On Wed, 2006-11-08 at 00:42 -0800, Dick Hardt wrote:
>>> -----Original Message-----
>>> From: Recordon, David
>>>
>>> But the security warnings will still exist:
>>>  - RP redirects me to http on IdP
>>>  - IdP redirects me to https on IdP for login page (warning)
>>
>> no warning on GET redirects
>
> If GET is going to be an acceptable method for responses, the spec
> should be updated. Section 5.2.1. HTTP Redirect states:
>
> 	This method is deprecated as of OpenID Authentication version
> 	2.0 though is still required for implementation to aide in
> 	backwards compatibility.

To clarify, the GET redirect that I am referring to is one to is to  
the same host.

We moved to a POST between RP and OP so that we could move more data.

-- Dick




More information about the specs mailing list