Backwards compatibility

Dick Hardt dick at
Mon Sep 25 18:49:35 UTC 2006

On 25-Sep-06, at 11:37 AM, Johannes Ernst wrote:

> On Sep 25, 2006, at 11:05, Dick Hardt wrote:
>> On 25-Sep-06, at 10:59 AM, Johannes Ernst wrote:
>>>>>  I don't understand why we should make it hard (impossible?) to  
>>>>> use OpenID authentication with verbs other than POST.
>>>> How would you propose OpenID use the other verbs?
>>> If there a mechanism to authenticate an HTTP GET request (as  
>>> OpenID 1.1 provides, of course), use the exact same mechanism to  
>>> authenticate any other verb. The authentication mechanism does  
>>> not depend on which verb it is at all, and in my view, we should  
>>> not introduce a dependency (auth on GET, or POST, or any other  
>>> verb) where none is needed.
>> OpenID authentication is currently the application layer, not the  
>> protocol layer.
> Not really. The WS-* stack being the counter-example.

I have no idea what your point is here.

>> I agree that at some point when supporting HTTP Auth, then it  
>> would make sense to support all verbs.
>> Right now, we are talking about how the request and response get  
>> sent around, which makes sense to use POST.
> I didn't say it doesn't make sense to use POST. I did say it does  
> not make sense to limit it to POST.
> Consider somebody writing a WebDav client that wishes to use OpenID  
> to authenticate against the WebDav server. Instead of executing the  
> HTTP/WebDav verb that they want to execute, they first have to do  
> an HTTP POST that has nothing to do with their WebDav use case,  
> then capture a cookie and reuse the cookie for the real WebDav  
> request they want to make? And there is no need for such a kludge  
> -- just let them sign the URL as in regular OpenID 1.1, but use the  
> PUT verb or whatever other verbs they'd like to use.

where would the message parameters get carried?
how is state managed across requests, or is each request authenticated?

In HTTP AUTH, the parameters are HTTP Headers.

I do think that that the OpenID mechanism can be adapted to working  
with HTTP AUTH, but that is not what we are trying to solve at this  

> I hope we at NetMesh are not the only ones who have met people who  
> want to do exactly that, and some variations on it?

Lots of people want authentication at the HTTP layer. That is not  
what OpenID was created to solve.

The WS-* stack was created to solve that, albiet for SOAP calls. I  
think there is an opportunity to solve it for RESTful calls.

-- Dick

More information about the specs mailing list