Backwards compatibility

Dick Hardt dick at sxip.com
Mon Sep 25 18:05:38 UTC 2006


On 25-Sep-06, at 10:59 AM, Johannes Ernst wrote:

>
>>>  I don't understand why we should make it hard (impossible?) to  
>>> use OpenID authentication with verbs other than POST.
>>
>> How would you propose OpenID use the other verbs?
>
> If there a mechanism to authenticate an HTTP GET request (as OpenID  
> 1.1 provides, of course), use the exact same mechanism to  
> authenticate any other verb. The authentication mechanism does not  
> depend on which verb it is at all, and in my view, we should not  
> introduce a dependency (auth on GET, or POST, or any other verb)  
> where none is needed.

OpenID authentication is currently the application layer, not the  
protocol layer.

I agree that at some point when supporting HTTP Auth, then it would  
make sense to support all verbs.

Right now, we are talking about how the request and response get sent  
around, which makes sense to use POST.

-- Dick



More information about the specs mailing list