Hi <span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">Manuel, </span><div><br></div><div><span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "></span>FYI, your human friendly version of the Artifact Binding Spec proposal is <a href="https://openid4.us/specs/ab/">https://openid4.us/specs/ab/</a> . <div>
It will change a few things before going to be final: </div><div><br></div><div>1. Change the signature to JWT that is supposed to come out this week or so. </div><div>2. Split the spec into the core, binding, and profiles so that it will share the same core as Connect. </div>
<div><br></div><div>Nat Sakimura</div><div><br></div><div>P.S. Actual spec archive is at <a href="http://bitbucket.org/openid/ab/">http://bitbucket.org/openid/ab/</a><br><br><div class="gmail_quote">On Tue, Dec 7, 2010 at 9:59 AM, Breno de Medeiros <span dir="ltr"><<a href="mailto:breno@google.com">breno@google.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">On Mon, Dec 6, 2010 at 16:41, Manuel Lemos <<a href="mailto:mlemos@acm.org">mlemos@acm.org</a>> wrote:<br>
> Hello,<br>
><br>
> I have developed my implementation of OpenID (consumer and provider). In<br>
> general works well and it has been used in sites use that authenticate<br>
> hundreds of thousands of users.<br>
><br>
> The problem is that once in a while I get warnings from my system regarding<br>
> missing required attributes or invalided signatures.<br>
><br>
> Looking closer at the problem I realized that in some cases the OpenID<br>
> provider redirects the users back to the consumer sites but the user<br>
> browsers are truncating URLs apparently at 400 characters.<br>
<br>
</div>This could happen in some mobile devices.<br>
<br>
There are, AFAIK, only a few approaches to address this problem.<br>
<br>
- Choose to not support such user agents.<br>
<br>
- Providers might add detection for the problematic user-agents and<br>
change their handling to use a POST redirect. But keep in mind that<br>
this fix still is short of ideal:<br>
-- Sometimes these devices also not support javascript, in which case<br>
POST redirects require an additional confirmation dialog.<br>
-- POST redirect from https to http result in scary warning dialogs in<br>
some browsers. Avoiding this warning requires providers to invent some<br>
proprietary redirect with short URLs from the https location to an<br>
http location and start the POST operation from the http location. A<br>
better solution would be for RPs to implement SSL return_to URLs, but<br>
this has not been often done.<br>
<br>
- OpenID might define an 'artifact'-type workflow, as for instance,<br>
the one proposed by the Artifact Binding WG, and shorten URLs of both<br>
requests and responses to below 400 characters.<br>
<div class="im"><br>
><br>
> Anybody experienced this problem?<br>
><br>
> Admittedly I may have missed something in the spec documents, but is there<br>
> anything in the specs that provides a solution to avoid redirecting browsers<br>
> to such long URLs?<br>
><br>
> --<br>
><br>
> Regards,<br>
> Manuel Lemos<br>
><br>
> JS Classes - Free ready to use OOP components written in JavaScript<br>
> <a href="http://www.jsclasses.org/" target="_blank">http://www.jsclasses.org/</a><br>
> _______________________________________________<br>
> specs mailing list<br>
> <a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
><br>
<br>
<br>
<br>
</div>--<br>
<font color="#888888">--Breno<br>
</font><div><div></div><div class="h5">_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en">http://twitter.com/_nat_en</a><br>
</div></div>