Problem with nonces and HTTP GET
John Bradley
john.bradley at wingaa.com
Thu Jan 28 00:20:54 UTC 2010
Andrew,
I think the direction of other people on the thread is to get rid of POST in the indirect response.
POST in the direct communication will remain.
Personally I think POST can work perfectly well. We are just not willing to make the changes to do it.
Nat wants artifact for a bunch of reasons.
I think that road is a GET response containing the artifact. Now if the Nonce is in the post response to the artefact query would that solve the nonce problem?
John B.
On 2010-01-27, at 9:12 PM, Breno de Medeiros wrote:
> Hi Andrew,
>
> You raised two issues:
>
> 1. Nonce verification and its implications.
>
> 2. Using POST vs. GET as a philosophical issue of authentication protocols.
>
> I think because of several reasons having to do with latency, user
> experience, HTTP/HTTPS boundary warnings, robustness, there will be a
> lot of reluctance to move from GET to POST, so while you make a valid
> philosophical argument, GET will remain the prevailing mechanism for
> entire practical reasons.
>
> So, I propose you reboot this discussion by starting another thread on
> the nonce verification problem (assuming GET is the used protocol).
>
>
>> Even with artifact binding moving the nonce outside the browser redirect
>> URL, if only one GET is allowed because the artifact is a usable-once-only
>> token, then it's not a GET--it's a POST by HTTP definition.
>
>
>
> --
More information about the specs
mailing list