Nat, et. al A POST from the RP to the OP is good, but if that POST from the RP is the result of a GET from the user agent to the RP, then that's still a problem. Since GETs should have no side effect, if a redirect (GET) from the OP to the RP via the user agent causes the RP to POST anything, then it's a violation.
And I'm not trying to be a nit-picky HTTP purist here. I'm talking about real-world problems from browsers, plugins, and/or proxies that believe GETs are actually side-effect free, that are causing logins to fail. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Wed, Jan 27, 2010 at 4:12 PM, Nat Sakimura <[email protected]> wrote: > Andrew, > > The way I am writing the Artifact Binding draft is such that the RP always > uses POST to communicate directly with OP. > RP obtains the Artifact by POSTing request to the OP. Note that a different > nonce should result in different artifact. > > Then the Artifact is redirected via GET to the OP through the browser. > > The OP returns another artifact (which can be the same with the requested > artifact). Ideally, there should be a one-to-one mapping between the request > Artifact and the response Artifact. (One easy way is to make them the same.) > Then the GET has no side effect on that request and thus does not violate > HTTP. > > The RP, upon receipt of the response Artifact, will POST it to the OP to > obtain the assertion. If it was the first time, then it will get a positive > assertion. If it was a repeated POST, then a negative assertion will be > returned. Since it is a POST, it should be OK for the request to have side > effects. > > Cheers, > > =nat > > On Thu, Jan 28, 2010 at 8:57 AM, Andrew Arnott <[email protected]>wrote: > >> >> >> John, >> Remember the argument I'm making is not "how do we get GET to work better" >> but "how do we stop using GET and switch to POST", since that will alleviate >> the nonce reuse problem. Coming up with craftier ways of using GET is >> moving in the wrong direction IMO. I'd like to see OpenID move to an >> all-POST protocol, and solve the HTTP-HTTPS boundary problem. >> >> Even with artifact binding moving the nonce outside the browser redirect >> URL, if only one GET is allowed because the artifact is a usable-once-only >> token, then it's not a GET--it's a POST by HTTP definition. >> >> _______________________________________________ >> specs mailing list >> [email protected] >> http://lists.openid.net/mailman/listinfo/openid-specs >> >> > > > -- > Nat Sakimura (=nat) > http://www.sakimura.org/en/ > http://twitter.com/_nat_en >
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
