OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)

[Johnny Bufu]

On 17-Nov-06, at 11:13 AM, John Kemp wrote:
> I /think/ the limit you are talking about is that regarding the  
> size of
> the URL. The reason you might approach or exceed that limit would  
> be if
> you were sending an HTTP GET with parameters appended to the URL. The
> solution to that issue is to encode the data as an HTTP FORM POST,
> which, AFAIK has no such limit. As I understand it, that would be a
> separate issue than whether the protocol is transacted via HTTP 3XX
> redirects through the user-agent, vs. making the user-agent do the
> redirect "manually".

There are a few issues with issuing redirects to POST requests:

- According to the HTTP RFC, user agents receiving a 3XX redirect in  
response to a POST request MUST NOT automatically redirect the request.

- See the note in RFC: even though the user-agents aren't supposed to  
change the method, some perform a GET on the redirect URL, even  
though the initial request was a POST.

- In the specific case of OpenID authentication messages, the server  
issuing the redirect needs to send data (the OpenID message) to its  
peer, via the user agent. I don't see how the user-agent can be  
instructed via a redirect to use the POST response at the redirect URL.

Note that the OpenID message is different than the initial POST, so a  
re-POST at the new URL wouldn't work either, even if that could be  
automated.


Johnny