OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)
Dick Hardt
dick at sxip.com
Mon Nov 20 06:46:12 UTC 2006
On 19-Nov-06, at 8:06 PM, Johannes Ernst wrote:
>> The protocol is for more then authentication, and it is changing
>> state. Per W3C, a GET should not be changing state.
> By the way, I would disagree with the notion that authentication in
> itself changes state at all.
Sure it is. At the end of the process, the RP is setting a cookie to
maintain the logged in state, so the state of the browser session has
changed.
More information about the specs
mailing list