[PROPOSAL] bare response / bare request
Drummond Reed
drummond.reed at cordance.net
Fri Oct 6 23:34:56 UTC 2006
Let me play the dumb customer here and say:
* A whole lot of real-world users would love OpenID-enabled bookmarks.
* A whole lot of websites would love to offer them.
* A whole lot of IdPs would love to provide them.
Translation: it would be really good for adoption.
So if there's a way to design the protocol so that we can have
OpenID-enabled bookmarks, let's choose that way unless everything else
really breaks.
=Drummond (playing OpenID marketer too)
-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Recordon, David
Sent: Friday, October 06, 2006 4:12 PM
To: Kevin Turner; specs at openid.net
Subject: RE: [PROPOSAL] bare response / bare request
Well that is something that if the spec dictates where to place/format a
request nonce, an IdP could recognize and remove it. I do agree though
that it is getting close to having too many implications.
--David
-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
Behalf Of Kevin Turner
Sent: Friday, October 06, 2006 3:25 PM
To: specs at openid.net
Subject: Re: [PROPOSAL] bare response / bare request
On Tue, 2006-10-03 at 19:42 -0700, Dick Hardt wrote:
> On 2-Oct-06, at 12:34 PM, Kevin Turner wrote:
> > On Sat, 2006-09-30 at 20:09 -0400, Dick Hardt wrote:
> >> Motivating Use Case
> >> ----------------------------
> >> The IdP would like to allow the user to click a link on the IdP to
> >> login to an RP. This requires a bare response to be able to be
sent.
> >
> > How will RPs that customarily use a request nonce treat this?
>
> There will not be a request nonce -- could have the IdP say "none"
Implications of this:
1) RPs must always accept messages without a request nonce.
2) RPs must always accept messages at the same return_to URL.
which also means
3) RPs must never put nonces or (other tokens that will become invalid)
in the return_to, because if they did the IdP would not recognize it as
a nonce and remove it.
Are these things all okay? I'm not sure if they really break stuff, but
that puts a lot more restrictions on the return_to than I really feel
comfortable with. And quite possibly takes a lot of the utility out of
request nonces.
_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs
More information about the specs
mailing list