[PROPOSAL] request nonce and name
Marius Scurtescu
marius at sxip.com
Fri Oct 13 00:00:38 UTC 2006
On 12-Oct-06, at 12:10 PM, Recordon, David wrote:
> We thus believe that any state tracking needed by a stateless RP
> must be maintained as GET parameters within the return_to
> argument. In the case of a stateful RP, it can either do the same
> thing, or store state via other means such as using a session id
> within a cookie to reference database data.
So basically the query string of the return_to parameter is used to
implement pass through parameters.
Why not require that unknown parameters be passed through? This way
the return_url is clean and it can be persisted (for bookmarking for
example) and there are no size limitations.
If passing through all unrecognized parameters can cause problems
then there could be a special namespace for this purpose. For
example, all parameters with names starting with openid.pass. should
be ignored by the IdP and passed back to the RP.
Marius
More information about the specs
mailing list