Backwards compatibility
Dick Hardt
dick at sxip.com
Mon Sep 25 18:05:38 UTC 2006
On 25-Sep-06, at 10:59 AM, Johannes Ernst wrote:
>
>>> I don't understand why we should make it hard (impossible?) to
>>> use OpenID authentication with verbs other than POST.
>>
>> How would you propose OpenID use the other verbs?
>
> If there a mechanism to authenticate an HTTP GET request (as OpenID
> 1.1 provides, of course), use the exact same mechanism to
> authenticate any other verb. The authentication mechanism does not
> depend on which verb it is at all, and in my view, we should not
> introduce a dependency (auth on GET, or POST, or any other verb)
> where none is needed.
OpenID authentication is currently the application layer, not the
protocol layer.
I agree that at some point when supporting HTTP Auth, then it would
make sense to support all verbs.
Right now, we are talking about how the request and response get sent
around, which makes sense to use POST.
-- Dick
More information about the specs
mailing list