Defining how OpenID should behave with fragments in the return_to url

Wed Mar 25 07:48:21 UTC 2009

On Wed, Mar 25, 2009 at 3:33 AM, Luke Shepard <lshepard at facebook.com> wrote:
> One crude way to do it would be to have the caller specify that they want
> the return_to args simply appended instead of integrated into the URL-
> perhaps an argument like openid.append_return_to_params=true. But that
> sounds hackish and I’d love to hear feedback on a better way to do this.

How would this interact with OpenID providers that respond via a POST
request instead of a GET?  This is something they are permitted to do
according to the spec, and may decide to do so even if the
authentication request was started with a GET if the response is large
enough.

If it helps, you could reproduce such a response with a form like:

    <form action="http://open.lukeshepard.com/openid_receiver.html?query#hash"
          method="post" accept-charset="UTF-8">
      <input type="hidden" name="openid.ns" value="...">
      ...
      <input type="submit" value="Submit">
    </form>

This proposal sounds like something that will work most of the time
but fail in a number of valid cases.

It'd be nice to support the popup based authentication workflow well,
but I am not convinced that relying on this quirk is the right way to
do so.

James.