OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)
Dick Hardt
dick at sxip.com
Sat Nov 18 22:03:16 UTC 2006
On 18-Nov-06, at 1:56 PM, John Kemp wrote:
>> It is mentioned that the two methods may be composed, but I still
>> don't
>> see how the POST form submission can be automated (without
>> JavaScript).
>> Have I missed that part?
>
> My point is that an implementation can offer BOTH profiles, and in
> cases
> where it's likely that the browser cannot do JS, it's possible for the
> RP to attempt one instead of another. Again, this is about being
> tolerant of different browsers.
The POST methods meets all the requirements with a degradation in
user experience for browsers without JS.
If the user is running a browser without JS, then lots of other sites
will not work well given the proliferation of JS in sites.
This also keeps it simple for the RP since it is not having to guess
what the user agent can do.
We weighed all the options and moving to POST was the decision. I
have not seen any new data that would lead me to change my position.
This thread was started around support for RESTful calls, which I
agree is a good thing to support, will likely have similar message
formats, but perhaps use HTTP headers.
-- Dick
More information about the specs
mailing list