OpenID Auth 2.0 and user-agent neutrality (or, OpenID withREST/SOAP)
Johannes Ernst
jernst+openid.net at netmesh.us
Tue Nov 21 05:28:34 UTC 2006
On Nov 20, 2006, at 20:13, Dick Hardt wrote:
> On 20-Nov-06, at 11:57 AM, Johannes Ernst wrote:
>> With OpenID 1.x, we can pre-assemble an HTTP GET request that
>> allows to access a protected resource, completely out of the blue
>> in a single round-trip. Just like HTTP BasicAuth (i.e. I don't
>> need to have a session cookie first). We can apply the exact same
>> approach to all other HTTP verbs.
>
> I don't understand how you can do it in a single round trip. There
> is the call to the RP (1) that redirects to the OP (2) which
> redirects to the RP (3) to get the final result, where a cookie is
> usually set by the web app. Subsequent calls then just send the
> cookie.
You don't do call (1) but start from a point (eg the OP) directly.
I'm not saying that's the typical scenario, but it does happen.
Johannes Ernst
NetMesh Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid-relying-party-authenticated.gif
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061120/6d283199/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061120/6d283199/attachment-0005.gif>
-------------- next part --------------
http://netmesh.info/jernst
More information about the specs
mailing list