No subject


Wed Mar 4 18:19:19 UTC 2009 

> To be honest, I'd be surprised if POST requests from OP to RP work=
ed<br>
&gt; interoperably today, but the trick of using the # on the end of the<br=
>
&gt; return_to URL to signal to a supporting OP &quot;I&#39;m trying to do =
this<br>
&gt; completely client-side, so don&#39;t do a POST request&quot; works her=
e too.<br>
<br></div>
Maybe having the fragment is a clue, but I=92d prefer an even more explicit=
 clue- like what if the RP could say =93don=92t send POST requests back, ju=
st send no more than X chars in the GET no matter what=94. Then the OP coul=
d just drop data if it went over the limit ... or something.<div>
<div></div><div class=3D"h5"><br>
<br>
<br>
On 3/25/09 9:26 PM, &quot;James Henstridge&quot; &lt;<a href=3D"http://jame=
s at jamesh.id.au" target=3D"_blank">james at jamesh.id.au</a>&gt; wrote:<br>
<br>
</div></div></span></font><div><div></div><div class=3D"h5"><blockquote><fo=
nt face=3D"Calibri, Verdana, Helvetica, Arial"><span style=3D"font-size: 11=
pt;">On Thu, Mar 26, 2009 at 1:49 AM, Martin Atkins &lt;<a href=3D"http://m=
art at degeneration.co.uk" target=3D"_blank">mart at degeneration.co.uk</a>&gt; w=
rote:<br>

&gt; James Henstridge wrote:<br>
&gt;&gt;<br>
&gt;&gt; On Wed, Mar 25, 2009 at 3:33 AM, Luke Shepard &lt;<a href=3D"http:=
//lshepard at facebook.com" target=3D"_blank">lshepard at facebook.com</a>&gt;<br=
>
&gt;&gt; wrote:<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; One crude way to do it would be to have the caller specify tha=
t they want<br>
&gt;&gt;&gt; the return_to args simply appended instead of integrated into =
the URL-<br>
&gt;&gt;&gt; perhaps an argument like openid.append_return_to_params=3Dtrue=
. But that<br>
&gt;&gt;&gt; sounds hackish and I=92d love to hear feedback on a better way=
 to do this.<br>
&gt;&gt;<br>
&gt;&gt; How would this interact with OpenID providers that respond via a P=
OST<br>
&gt;&gt; request instead of a GET? =A0This is something they are permitted =
to do<br>
&gt;&gt; according to the spec, and may decide to do so even if the<br>
&gt;&gt; authentication request was started with a GET if the response is l=
arge<br>
&gt;&gt; enough.<br>
&gt;&gt;<br>
&gt;<br>
&gt; This is a good point, but it seems like again it can be worked around =
by<br>
&gt; making openid_reciever.html accept POST requests.<br>
&gt;<br>
&gt; Unlike the query string, this can&#39;t be done completely client side=
, but it<br>
&gt; ought to be reasonably simple to set up some kind of rewriterule or ot=
her<br>
&gt; indirection trick to make POST requests to openid_reciever.html actual=
ly get<br>
&gt; served by a non-static endpoint.<br>
<br>
Any intermediate caches would also drop their cached versions when<br>
they see a POST request too (assuming they follow the standards), but<br>
I suppose it&#39;d still be a win if the POST requests are infrequent.<br>
<br>
This is starting to become a lot more complicated than the &quot;simple<br>
static return_to page&quot; from the initial proposal though.<br>
<br>
<br>
&gt; To be honest, I&#39;d be surprised if POST requests from OP to RP work=
ed<br>
&gt; interoperably today, but the trick of using the # on the end of the<br=
>
&gt; return_to URL to signal to a supporting OP &quot;I&#39;m trying to do =
this completely<br>
&gt; client-side, so don&#39;t do a POST request&quot; works here too.<br>
<br>
Disallowing post responses limits the use of the more verbose<br>
extensions (e.g. attribute exchange). =A0While this might be acceptable<br>
for Luke&#39;s particular use case, it might leave it unsolved for others.<=
br>
=A0It might be worth going back to basics and considering whether there<br>
are other solutions.<br>
<br>
The stated aim was to provide the best user experience possible for<br>
running an OpenID authentication request through a pop up window and<br>
then communicating the results back to the main window.<br>
<br>
Luke&#39;s proposal is one possible solution, but I wouldn&#39;t want to<br=
>
impose limitations on the specification if there is an alternative<br>
that also solves the problem.<br>
<br>
James.<br>
_______________________________________________<br>
specs mailing list<br>
<a href=3D"http://specs@openid.net" target=3D"_blank">specs at openid.net</a><=
br>
<a href=3D"http://openid.net/mailman/listinfo/specs" target=3D"_blank">http=
://openid.net/mailman/listinfo/specs</a><br>
<br>
</span></font></blockquote>
</div></div></div>


<br>_______________________________________________<br>
specs mailing list<br>
<a href=3D"mailto:specs at openid.net">specs at openid.net</a><br>
<a href=3D"http://openid.net/mailman/listinfo/specs" target=3D"_blank">http=
://openid.net/mailman/listinfo/specs</a><br>
<br></blockquote></div><br>

--000e0cd17cfcec79c90466153580--

More information about the specs mailing list