<HTML>
<HEAD>
<TITLE>Re: Problem with nonces and HTTP GET</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>This is a possible workaround, however it’s entirely likely that the state (or internal artifact to use Breno’s term) would need to be replicated across datacenters since the host that saved the state (the OP’s HTTPS endpoint) could be different than the one that reads the state (on the OP’s HTTP endpoint). <BR>
<BR>
For example, some ISPs proxy HTTP connections, but not HTTPS – which will result in different IP addresses to be used to request HTTP and HTTPS. Depending on the OP’s infrastructure, the two requests could be served from different datacenters which is tricky to support if the data needs to be replicated nearly instantaneously. <BR>
<BR>
At least in Yahoo’s case, we do have some workarounds to support this scenario – for instance supporting OAuth’s Request Token requires this (and caused us a lot of grief). <BR>
<BR>
Although we can support this internal artifact implementation, it would be preferable to shrink AX responses (at least for commonly used attributes) and longer term, to natively define an Artifact binding to OpenID.<BR>
<BR>
Allen<BR>
<BR>
On 1/22/10 11:18 AM, "Andrew Arnott" <<a href="andrewarnott@gmail.com">andrewarnott@gmail.com</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>I agree with Allen, although to resurrect an old idea I once suggested, Yahoo could observe that the return_to URL is HTTP only and do its own stateful redirect (with an artifact payload to itself) to HTTP <I>before</I> doing the POST to the RP, which would:<BR>
</SPAN></FONT><OL><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>use POST instead of GET
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>avoid the SSL warning to users
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>do so without any changes to the spec or RPs<BR>
</SPAN></FONT></OL><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>The cost of course is that the redirect within Yahoo is stateful, which may not scale as well as their current implementation. <BR>
<BR>
Of this isn't a Yahoo-specific problem, of course, but since the example came up...<BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>