OpenID Auth 2.0 and user-agent neutrality (or, OpenID withREST/SOAP)
Dick Hardt
dick at sxip.com
Tue Nov 21 04:13:45 UTC 2006
On 20-Nov-06, at 11:57 AM, Johannes Ernst wrote:
> With OpenID 1.x, we can pre-assemble an HTTP GET request that
> allows to access a protected resource, completely out of the blue
> in a single round-trip. Just like HTTP BasicAuth (i.e. I don't need
> to have a session cookie first). We can apply the exact same
> approach to all other HTTP verbs.
I don't understand how you can do it in a single round trip. There is
the call to the RP (1) that redirects to the OP (2) which redirects
to the RP (3) to get the final result, where a cookie is usually set
by the web app. Subsequent calls then just send the cookie.
More information about the specs
mailing list