Hello,
on 12/06/2010 10:59 PM Breno de Medeiros said the following:
I have developed my implementation of OpenID (consumer and provider). In
general works well and it has been used in sites use that authenticate
hundreds of thousands of users.
The problem is that once in a while I get warnings from my system regarding
missing required attributes or invalided signatures.
Looking closer at the problem I realized that in some cases the OpenID
provider redirects the users back to the consumer sites but the user
browsers are truncating URLs apparently at 400 characters.
This could happen in some mobile devices.
There are, AFAIK, only a few approaches to address this problem.
- Choose to not support such user agents.
- Providers might add detection for the problematic user-agents and
change their handling to use a POST redirect. But keep in mind that
this fix still is short of ideal:
-- Sometimes these devices also not support javascript, in which case
POST redirects require an additional confirmation dialog.
-- POST redirect from https to http result in scary warning dialogs in
some browsers. Avoiding this warning requires providers to invent some
proprietary redirect with short URLs from the https location to an
http location and start the POST operation from the http location. A
better solution would be for RPs to implement SSL return_to URLs, but
this has not been often done.
Better not. I am already having an hard time because I tried to make the
OpenID URL open inside an iframe to make it look integrated with the
consumer site. What happens is that some browsers refuse to accept
cookies because consumer and provider domains are not the same.
So I would rather avoid hacks that do not work in all browsers and give
me a lot of work trying to support browsers with unexpected behavior.
- OpenID might define an 'artifact'-type workflow, as for instance,
the one proposed by the Artifact Binding WG, and shorten URLs of both
requests and responses to below 400 characters.
I am not sure what this means. Does it mean that is there already
anything able to make redirect URLs shorter or it maybe something that
future specs may support?
--
Regards,
Manuel Lemos
JS Classes - Free ready to use OOP components written in JavaScript
http://www.jsclasses.org/
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
