OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)

Dick Hardt dick at sxip.com
Sat Nov 18 22:03:16 UTC 2006


On 18-Nov-06, at 1:56 PM, John Kemp wrote:

>> It is mentioned that the two methods may be composed, but I still  
>> don't
>> see how the POST form submission can be automated (without  
>> JavaScript).
>> Have I missed that part?
>
> My point is that an implementation can offer BOTH profiles, and in  
> cases
> where it's likely that the browser cannot do JS, it's possible for the
> RP to attempt one instead of another. Again, this is about being
> tolerant of different browsers.

The POST methods meets all the requirements with a degradation in  
user experience for browsers without JS.
If the user is running a browser without JS, then lots of other sites  
will not work well given the proliferation of JS in sites.
This also keeps it simple for the RP since it is not having to guess  
what the user agent can do.

We weighed all the options and moving to POST was the decision. I  
have not seen any new data that would lead me to change my position.

This thread was started around support for RESTful calls, which I  
agree is a good thing to support, will likely have similar message  
formats, but perhaps use HTTP headers.

-- Dick



More information about the specs mailing list