OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)
John Kemp
frumioj at mac.com
Sat Nov 18 22:25:10 UTC 2006
Dick Hardt wrote:
>
> On 18-Nov-06, at 1:56 PM, John Kemp wrote:
>
>>> It is mentioned that the two methods may be composed, but I still don't
>>> see how the POST form submission can be automated (without JavaScript).
>>> Have I missed that part?
>>
>> My point is that an implementation can offer BOTH profiles, and in cases
>> where it's likely that the browser cannot do JS, it's possible for the
>> RP to attempt one instead of another. Again, this is about being
>> tolerant of different browsers.
>
> The POST methods meets all the requirements with a degradation in user
> experience for browsers without JS.
> If the user is running a browser without JS, then lots of other sites
> will not work well given the proliferation of JS in sites.
> This also keeps it simple for the RP since it is not having to guess
> what the user agent can do.
>
> We weighed all the options and moving to POST was the decision. I have
> not seen any new data that would lead me to change my position.
But why deprecate support for redirects? I'd (still) like to see OpenID
implementations that do support browsers without JS turned on .
- John
More information about the specs
mailing list