[PROPOSAL] request nonce and name

Martin Atkins mart at degeneration.co.uk
Fri Oct 13 07:10:48 UTC 2006


Marius Scurtescu wrote:
> On 12-Oct-06, at 5:07 PM, Josh Hoyt wrote:
> 
>> On 10/12/06, Marius Scurtescu <marius at sxip.com> wrote:
>>> If passing through all unrecognized parameters can cause problems
>>> then there could be a special namespace for this purpose. For
>>> example, all parameters with names starting with openid.pass. should
>>> be ignored by the IdP and passed back to the RP.
>> Yahoo Browser-based authentication [1] has a single parameter called
>> "appdata" (that you can find in [2]) that is used for this purpose.
>> This seems general enough to me.
> 
> True, even one single pass through parameter should do.

This causes the minor inconvenience that the RP will probably now have 
to implement its own parsing, rather than using the framework's 
pre-supplied functions for dealing with urlencoded query strings.

Not a major deal, but I'd guess that this is where the idea to use 
return_to args came from in the first place.





More information about the specs mailing list