OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)

Dick Hardt dick at sxip.com
Mon Nov 13 01:30:55 UTC 2006 

Hi Adam

The switch from GET to POST was made so that we were not constrained  
by the URL parameter payload limit.

As you point out, HTTP headers can be used for moving messages as  
well, but there was no clear mechanism to do that without modifying  
all the widely available browsers.

I think REST support is a really useful feature, and have described  
how that might happen in the past, but right now we are pretty  
focussed on getting browser based auth finalized, and I think the  
mechanisms for rich clients will be related, but slightly different.

-- Dick

On 12-Nov-06, at 5:24 PM, Adam Nelson wrote:

> I've been tracking OpenID auth from 1.0 with great interest.  Last
> summer Johannes Ernst explained to me how it was that one might use
> openid to authenticate a non-interactive user agent such as a REST API
> consumer by intercepting the RP's redirect and providing the info from
> the IdP itself.  Given OpenID's design goals (decentralized,
> lightweight, flexible identity management), and its seemingly
> inevitable adoption into the mashup-minded web 2.0 ecosystem (God help
> me I'm buzzwording!), it seems to me that OpenID's value is
> significantly enhanced if the identities it enables can be used to
> authenticate to SOAP and REST APIs as well as interactive web sites.
>
> Having said that, I was surprised to note in draft 10 of OpenID Auth
> 2.0 that the HTTP redirect method of communication between the RP and
> the IdP is deprecated in favor of an HTML forms-based approach.  This
> suggests to me that OpenID Auth 2.0 is not compatible with REST or
> SOAP or any other binding that doesn't involve the exchange, parsing,
> and submission of HTML forms.
>
> I'm curious why this decision was made, and if its implications have
> been fully considered.  Has there been any thought given to an
> alternative means of authentication, perhaps via custom HTTP headers
> or some other non-HTML means?  If not, does this mean OpenID is not
> intended to support authentication to programmatic APIs?
>
> Thanks,
> Adam
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>

More information about the specs mailing list