OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)
John Kemp
frumioj at mac.com
Fri Nov 17 06:17:13 UTC 2006
Hi Dick,
My point is that I don't think requiring JS for a reasonable user
experience is a good idea when considering the variety of browsers that
are deployed today, and I don't understand why it's necessary.
I am interested to know why one would decide to restrict the protocol
this way. Can you perhaps illuminate the reasoning?
Cheers,
- John
Dick Hardt wrote:
> Hi John
>
> Would you provide examples of those browsers? Testing we did 2 years
> again indicated the JS redirect worked on all the platforms we tested on.
>
> -- Dick
>
> On 16-Nov-06, at 11:35 AM, John Kemp wrote:
>
>> Hi,
>>
>> Sorry I'm just reading this, but I just wanted to put in a point very
>> much in favour of NOT deprecating support for HTTP redirects in OpenID
>> 2.0.
>>
>> I'll note that requiring the user to press a 'submit' button to "push"
>> seems like a dodgy UI strategy. So then you require JavaScript to
>> produce a reasonable user experience.
>>
>> Well, as a representative from the mobile community, I'll tell you that
>> there are quite a few browsers out there (on deployed mobile phones)
>> that still don't support JS in any useful way!
>>
>> So with OpenID 2.0, you may now be requiring many users to click a form
>> submit.
>>
>> Regards,
>>
>> - John
>>
>> Johannes Ernst wrote:
>>> Well, as I've said before, I strongly believe that tying authentication
>>> to one particular HTTP verb is a bad idea, and unnecessary.
>>>
>>> I also believe that involving JavaScript in what is fundamentally an
>>> HTTP-level kind of protocol is a hack. It very likely is either
>>> unnecessary or points to a flaw in the conceptual model of the protocol,
>>> or both.
>>>
>>> The same may be true about having different protocols for thin-client
>>> and rich-client.
>>>
>>> Having said that, I am not making this point more strongly than I have
>>> because I don't think these issues are fatal and I don't want to raise
>>> more issues that delay OpenID 2.0 auth further. So I will log this as a
>>> bug against auth 2.0 as soon as it is published (and as soon as there is
>>> a place where to file bugs against the spec ;-)) but will bite my tongue
>>> in the meantime.
>>>
>>>
>>> On Nov 12, 2006, at 20:29, Dick Hardt wrote:
>>>
>>>>
>>>> On 12-Nov-06, at 8:19 PM, Adam Nelson wrote:
>>>>
>>>>> Hi Dick:
>>>>>
>>>>>> I think REST support is a really useful feature, and have described
>>>>>> how that might happen in the past, but right now we are pretty
>>>>>> focussed on getting browser based auth finalized, and I think the
>>>>>> mechanisms for rich clients will be related, but slightly different.
>>>>>
>>>>> That all makes sense, thanks. Is that to say that rich client support
>>>>> isn't a goal of v2.0 of the spec, or just a goal subsequent to the
>>>>> conclusion of browser-based auth?
>>>>
>>>> Not a goal of OpenID Authentication 2.0
>>>>
>>>> I think it would make sense to make it a separate document, and would
>>>> value your involvement!
>>>>
>>>> -- Dick
>>>> _______________________________________________
>>>> specs mailing list
>>>> specs at openid.net
>>>> http://openid.net/mailman/listinfo/specs
>>>
>>>
>>>
>>> Johannes Ernst
>>> NetMesh Inc.
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> http://netmesh.info/jernst
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> specs mailing list
>>> specs at openid.net
>>> http://openid.net/mailman/listinfo/specs
>>
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
>>
>>
>
More information about the specs
mailing list