OpenID Auth 2.0 and user-agent neutrality (or, OpenID with REST/SOAP)
Johannes Ernst
jernst+apache.org at netmesh.us
Mon Nov 20 19:57:36 UTC 2006
On Nov 19, 2006, at 22:46, Dick Hardt wrote:
> On 19-Nov-06, at 8:06 PM, Johannes Ernst wrote:
>>> The protocol is for more then authentication, and it is changing
>>> state. Per W3C, a GET should not be changing state.
>> By the way, I would disagree with the notion that authentication
>> in itself changes state at all.
>
> Sure it is. At the end of the process, the RP is setting a cookie
> to maintain the logged in state, so the state of the browser
> session has changed.
The state of the browser? That's not the state that W3C or the REST
authors are talking about -- they are talking about the state of the
resource (i.e. the data behind a URL).
You could argue that the state of the site's relying party management
system ("OpenID relying party database") has changed, but I would
still argue that the resource has not changed by virtue of somebody
logging on or off.
Johannes Ernst
NetMesh Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid-relying-party-authenticated.gif
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061120/a51ec06c/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061120/a51ec06c/attachment-0005.gif>
-------------- next part --------------
http://netmesh.info/jernst
More information about the specs
mailing list