OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)

John Kemp frumioj at mac.com
Thu Nov 16 19:35:16 UTC 2006 

Hi,

Sorry I'm just reading this, but I just wanted to put in a point very
much in favour of NOT deprecating support for HTTP redirects in OpenID 2.0.

I'll note that requiring the user to press a 'submit' button to "push"
seems like a dodgy UI strategy. So then you require JavaScript to
produce a reasonable user experience.

Well, as a representative from the mobile community, I'll tell you that
there are quite a few browsers out there (on deployed mobile phones)
that still don't support JS in any useful way!

So with OpenID 2.0, you may now be requiring many users to click a form
submit.

Regards,

- John

Johannes Ernst wrote:
> Well, as I've said before, I strongly believe that tying authentication
> to one particular HTTP verb is a bad idea, and unnecessary.
> 
> I also believe that involving JavaScript in what is fundamentally an
> HTTP-level kind of protocol is a hack. It very likely is either
> unnecessary or points to a flaw in the conceptual model of the protocol,
> or both.
> 
> The same may be true about having different protocols for thin-client
> and rich-client.
> 
> Having said that, I am not making this point more strongly than I have
> because I don't think these issues are fatal and I don't want to raise
> more issues that delay OpenID 2.0 auth further. So I will log this as a
> bug against auth 2.0 as soon as it is published (and as soon as there is
> a place where to file bugs against the spec ;-)) but will bite my tongue
> in the meantime.
> 
> 
> On Nov 12, 2006, at 20:29, Dick Hardt wrote:
> 
>>
>> On 12-Nov-06, at 8:19 PM, Adam Nelson wrote:
>>
>>> Hi Dick:
>>>
>>>> I think REST support is a really useful feature, and have described
>>>> how that might happen in the past, but right now we are pretty
>>>> focussed on getting browser based auth finalized, and I think the
>>>> mechanisms for rich clients will be related, but slightly different.
>>>
>>> That all makes sense, thanks.  Is that to say that rich client support
>>> isn't a goal of v2.0 of the spec, or just a goal subsequent to the
>>> conclusion of browser-based auth?
>>
>> Not a goal of OpenID Authentication 2.0
>>
>> I think it would make sense to make it a separate document, and would
>> value your involvement!
>>
>> -- Dick
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
> 
> 
> 
> Johannes Ernst
> NetMesh Inc.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> ------------------------------------------------------------------------
> 
>  http://netmesh.info/jernst
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs

More information about the specs mailing list