OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)

Dick Hardt dick at sxip.com
Fri Nov 17 05:56:50 UTC 2006 

Hi John

Would you provide examples of those browsers? Testing we did 2 years  
again indicated the JS redirect worked on all the platforms we tested  
on.

-- Dick

On 16-Nov-06, at 11:35 AM, John Kemp wrote:

> Hi,
>
> Sorry I'm just reading this, but I just wanted to put in a point very
> much in favour of NOT deprecating support for HTTP redirects in  
> OpenID 2.0.
>
> I'll note that requiring the user to press a 'submit' button to "push"
> seems like a dodgy UI strategy. So then you require JavaScript to
> produce a reasonable user experience.
>
> Well, as a representative from the mobile community, I'll tell you  
> that
> there are quite a few browsers out there (on deployed mobile phones)
> that still don't support JS in any useful way!
>
> So with OpenID 2.0, you may now be requiring many users to click a  
> form
> submit.
>
> Regards,
>
> - John
>
> Johannes Ernst wrote:
>> Well, as I've said before, I strongly believe that tying  
>> authentication
>> to one particular HTTP verb is a bad idea, and unnecessary.
>>
>> I also believe that involving JavaScript in what is fundamentally an
>> HTTP-level kind of protocol is a hack. It very likely is either
>> unnecessary or points to a flaw in the conceptual model of the  
>> protocol,
>> or both.
>>
>> The same may be true about having different protocols for thin-client
>> and rich-client.
>>
>> Having said that, I am not making this point more strongly than I  
>> have
>> because I don't think these issues are fatal and I don't want to  
>> raise
>> more issues that delay OpenID 2.0 auth further. So I will log this  
>> as a
>> bug against auth 2.0 as soon as it is published (and as soon as  
>> there is
>> a place where to file bugs against the spec ;-)) but will bite my  
>> tongue
>> in the meantime.
>>
>>
>> On Nov 12, 2006, at 20:29, Dick Hardt wrote:
>>
>>>
>>> On 12-Nov-06, at 8:19 PM, Adam Nelson wrote:
>>>
>>>> Hi Dick:
>>>>
>>>>> I think REST support is a really useful feature, and have  
>>>>> described
>>>>> how that might happen in the past, but right now we are pretty
>>>>> focussed on getting browser based auth finalized, and I think the
>>>>> mechanisms for rich clients will be related, but slightly  
>>>>> different.
>>>>
>>>> That all makes sense, thanks.  Is that to say that rich client  
>>>> support
>>>> isn't a goal of v2.0 of the spec, or just a goal subsequent to the
>>>> conclusion of browser-based auth?
>>>
>>> Not a goal of OpenID Authentication 2.0
>>>
>>> I think it would make sense to make it a separate document, and  
>>> would
>>> value your involvement!
>>>
>>> -- Dick
>>> _______________________________________________
>>> specs mailing list
>>> specs at openid.net
>>> http://openid.net/mailman/listinfo/specs
>>
>>
>>
>> Johannes Ernst
>> NetMesh Inc.
>>
>>
>>
>> --------------------------------------------------------------------- 
>> ---
>>
>>
>> --------------------------------------------------------------------- 
>> ---
>>
>>  http://netmesh.info/jernst
>>
>>
>> --------------------------------------------------------------------- 
>> ---
>>
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>

More information about the specs mailing list