OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)

[Dick Hardt]

On 19-Nov-06, at 8:06 PM, Johannes Ernst wrote:
>> The protocol is for more then authentication, and it is changing  
>> state. Per W3C, a GET should not be changing state.
> By the way, I would disagree with the notion that authentication in  
> itself changes state at all.

Sure it is. At the end of the process, the RP is setting a cookie to  
maintain the logged in state, so the state of the browser session has  
changed.