Nat, et. al<div><br></div><div>A POST from the RP to the OP is good, but if that POST from the RP is the result of a GET from the user agent to the RP, then that's still a problem. Since GETs should have no side effect, if a redirect (GET) from the OP to the RP via the user agent causes the RP to POST anything, then it's a violation.</div>
<div><br></div><div>And I'm not trying to be a nit-picky HTTP purist here. I'm talking about real-world problems from browsers, plugins, and/or proxies that believe GETs are actually side-effect free, that are causing logins to fail.<br clear="all">
--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Wed, Jan 27, 2010 at 4:12 PM, Nat Sakimura <span dir="ltr"><<a href="mailto:sakimura@gmail.com">sakimura@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Andrew, <div><br></div><div>The way I am writing the Artifact Binding draft is such that the RP always uses POST to communicate directly with OP. </div><div>RP obtains the Artifact by POSTing request to the OP. Note that a different nonce should result in different artifact. </div>
<div><br></div><div>Then the Artifact is redirected via GET to the OP through the browser. </div><div><br></div><div>The OP returns another artifact (which can be the same with the requested artifact). Ideally, there should be a one-to-one mapping between the request Artifact and the response Artifact. (One easy way is to make them the same.) Then the GET has no side effect on that request and thus does not violate HTTP. </div>
<div><br></div><div>The RP, upon receipt of the response Artifact, will POST it to the OP to obtain the assertion. If it was the first time, then it will get a positive assertion. If it was a repeated POST, then a negative assertion will be returned. Since it is a POST, it should be OK for the request to have side effects. </div>
<div><br></div><div>Cheers, </div><div><br></div><div>=nat</div><div><br><div class="gmail_quote"><div class="im">On Thu, Jan 28, 2010 at 8:57 AM, Andrew Arnott <span dir="ltr"><<a href="mailto:andrewarnott@gmail.com" target="_blank">andrewarnott@gmail.com</a>></span> wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><div><div class="gmail_quote"><div><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
</div></blockquote><div><br></div></div><div>John,</div><div>Remember the argument I'm making is not "how do we get GET to work better" but "how do we stop using GET and switch to POST", since that will alleviate the nonce reuse problem. Coming up with craftier ways of using GET is moving in the wrong direction IMO. I'd like to see OpenID move to an all-POST protocol, and solve the HTTP-HTTPS boundary problem. </div>
<div><br></div><div>Even with artifact binding moving the nonce outside the browser redirect URL, if only one GET is allowed because the artifact is a usable-once-only token, then it's not a GET--it's a POST by HTTP definition.</div>
</div></div>
<br></div><div class="im">_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
<br></div></blockquote></div><br><br clear="all"><br>-- <br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/" target="_blank">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en" target="_blank">http://twitter.com/_nat_en</a><br>
</div>
</blockquote></div><br></div>