[OpenID] AX implementations
Allen Tom
atom at yahoo-inc.com
Mon Sep 28 17:52:54 UTC 2009
Shane B Weeden wrote:
>
> Mostly agree, although implementations may just switch to POST per the spec
> when messages get long, and this seems to work ok for me.
Returning responses via POST doesn't work as well as GET in many cases.
The biggest issue is that many browsers (IE/Firefox) will display a very
ugly security warning if the RP's return_to URL does not support HTTPS.
This warning is displayed if the OP's returns the response using a
self-submitting form that's served over HTTPS. Many browsers display a
security warning when a form that's served using HTTPS is submitted to HTTP.
Other problems with using POST is that JS has to be enabled, and an
intermediate "blank white page" is usually returned to submit the form.
> What I wanted to
> see (and previously posted about with little support) was this change to
> the SREG 1.1 draft spec to allow SREG to be extensible. In section 4
> change:
>
> A single field MUST NOT be repeated in the response, and all included
> fields MUST be taken from the set of fields defined in this specification.
> to:
> A single field MUST NOT be repeated in the response.
>
> Then SREG is "legally" extensible and lighter weight and easier to use. ect
> Re: [OpenID] AX implementations
>
>
This is a pretty good idea, and should satisfy most uses cases. The only
problem is standardizing on the attribute names.
Allen
More information about the general
mailing list