OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)

Johannes Ernst jernst+apache.org at netmesh.us
Mon Nov 20 04:06:06 UTC 2006 

On Nov 19, 2006, at 14:02, Dick Hardt wrote:

> On 18-Nov-06, at 9:46 PM, Johannes Ernst wrote:
>
>> On Nov 18, 2006, at 15:34, John Kemp wrote:
>>
>>>> OpenID 1.1 did not have a large payload. We expect the payloads  
>>>> to be
>>>> much larger with OpenID 2.0.
>>>
>>> I guess the payload size will vary according to the RP and IdP
>>> implementations, no?
>>
>> Yes. And so far the only need for large payload sizes that I have  
>> seen relate to a still somewhat controversial spec that will only  
>> be implemented by less than 100% of all RPs and IdPs (how far less  
>> we can all guess).
>>
>> Making something that has much broader appeal (auth) substantially  
>> more restrictive because of the needs of another spec, that uses  
>> it, and that may not even be implemented by everybody, sounds like  
>> an architectural no-no to me. The obvious workaround: if that  
>> additional spec only works with one of the several alternatives  
>> supported by the auth spec, make the additional spec require to  
>> use that particular mode (POST) only when it is used.
>
> Controversy?  now you are just throwing mud!

Not my intention. Just stating the facts, as I see them. Feel free to  
disagree with my take on the facts. [but that's not actually what  
this thread is all about, so if you'd like to discuss this item,  
let's make this a separate thread.]

Also, feel free to disagree with my "architectural no-no". After all,  
maybe I'm wrong and you can show me how I'm wrong!

> The protocol is for more then authentication, and it is changing  
> state. Per W3C, a GET should not be changing state.

I am familiar with the HTTP verbs, and the fact that returning  
different results to different clients (e.g. those with a session  
cookie or not, or those who produce a valid credential) is a bit  
outside of the scope of (original) REST.

The question here, though, is inhowfar we do something genuinely new  
here, or it maps onto existing practice. I would argue that there  
should be a perfect architectural parallel between:
  - a plain HTTP GET request
  - the same HTTP GET request, with a Http AuthBasic credential
  - a plain HTTP PUT request (to pick an HTTP verb at random)
  - the same HTTP PUT request, with an Http AuthBasic credential
and, on the other hand
  - a plain HTTP GET request
  - the same HTTP GET request, with OpenID Auth parameters that  
authenticate the user for this request
  - a plain HTTP PUT request (to pick an HTTP verb at random)
  - the same HTTP PUT request, with OpenID Auth parameters that  
authenticate the user for this request

I don't see any parallel between
  - a plain HTTP GET request
  - the same HTTP GET request, with a Http AuthBasic credential
  - a plain HTTP PUT request (to pick an HTTP verb at random)
  - the same HTTP PUT request, with an Http AuthBasic credential
and, on the other hand
  - a plain HTTP GET request
  - the same HTTP GET request, put now using POST in the protocol,  
with OpenID Auth parameters that authenticate the user for this request
  - a plain HTTP PUT request (to pick an HTTP verb at random)
  - first, an HTTP POST request to authenticate, then to obtain a  
session cookie (which is outside of the scope of OpenID Auth in any  
case), and then, in a second step, to perform the same HTTP PUT  
request, showing the session cookie.

If the first of these two alternatives can be done -- which they can  
-- why would we pick the second one?

By the way, I would disagree with the notion that authentication in  
itself changes state at all.





Johannes Ernst
NetMesh Inc.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid-relying-party-authenticated.gif
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061119/f84d25db/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061119/f84d25db/attachment-0005.gif>
-------------- next part --------------
  http://netmesh.info/jernst

More information about the specs mailing list