OpenID Auth 2.0 and user-agent neutrality (or, OpenID withREST/SOAP)

Dick Hardt dick at sxip.com
Mon Nov 20 21:05:12 UTC 2006


On 20-Nov-06, at 12:18 PM, Recordon, David wrote:

> Guessing I was a bit unclear here...
>
> What I meant to say was that the spec as it stands today only  
> allows the
> use of POST and deprecates the use of GET and 302 redirects.  It seems
> that what you're saying is by using GET we're going against a
> recommendation by the W3C.  The point I was trying to make was that  
> even
> if using GET is against their recommendation, it is deployed today and
> working quite well.
>
> My preference, from a technical perspective, is changing 2.0 back to
> using GET like 1.1 and then defining the mechanism that an IdP can
> signal to the RP that there is more data for it to fetch.

Yuck. We are *so* close to having this wrapped and you want to add  
something new?!?

Using POST works fine as well. We used it in SXIP. Some of the SAML  
profiles use it. Google uses it in their new SSO API.

We are supporting both now. How about we state that either to be  
used, and clearly they SHOULD use POST if there is more then 2K of  
data. These seems to be the most straightforward solution.







More information about the specs mailing list