Backwards compatibility

Johannes Ernst jernst+openid.net at netmesh.us
Mon Sep 25 17:07:27 UTC 2006 

On Sep 25, 2006, at 2:20, Dick Hardt wrote:

> On 21-Sep-06, at 11:15 PM, Johannes Ernst wrote:
>
>> Just one specific question:
>>
>> On Sep 21, 2006, at 17:22, Dick Hardt wrote:
>>
>>> Also, I thought OpenID 2.0 was moving to POST instead of GET, so  
>>> that
>>> will likely cause some incompatibilities.
>>
>> I heard this before somewhere, but so far I could not discern the  
>> reasoning for it, nor who actually proposes (and agrees with) it.  
>> Could you enlighten me?
>>
>> So far, I think it would be a very bad idea if OpenID only worked  
>> in the context of one of the HTTP REST verbs (of which there are  
>> 4, or more if you count WebDAV and other HTTP verbs such as  
>> OPTIONS). Admittedly, the OpenID spec so far only talked about  
>> GET, but there was nothing to prevent to use it with POST, PUT or  
>> DELETE as well. Or any other verbs in HTTP extensions such as WebDAV.
>>
>> Is there a proposal on the table to restrict OpenID to be only  
>> usable for POST? And if so, what would be the rationale? In the  
>> times of AJAX and rich client apps, I think if anything, we should  
>> be extending OpenID to cover more verbs, not fewer?
>>
>> Confused, as usual ;-)
>
> This was discussed in one of the meetings at VeriSign. Joaquin was  
> there, but you were not.
>
> GET of course limits the amount of data that can be transported.  
> POST does not have the same payload size constraints. This is  
> needed to do attribute exchange as the payloads could get quite  
> large. Switching to POST allows the RP and IdP to encode  
> information as parameters in the URL and avoid conflicts with  
> protocol parameters. Using one verb simplifies development as no  
> logic is needed to decide if GET or POST is to be used.
>
> I am not sure what advantage there is to using other verbs. Would  
> you elaborate on the advantages?

I'm not sure I understand this question. Are you asking why standard  
HTTP has verbs other than POST? Or why things WebDav increased the  
list further?

I do understand that for the purposes of conveying identity  
information from one place to another, an appropriate HTTP verb  
should be used (e.g. POST). I don't understand why we should make it  
hard (impossible?) to use OpenID authentication with verbs other than  
POST.


Johannes Ernst
NetMesh Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20060925/7b8f3818/attachment-0002.gif>
-------------- next part --------------
  http://netmesh.info/jernst

More information about the specs mailing list