Rowan Kerr wrote: > > Also, the spec mentions AJAX interactions, but I don't see how you can > actually use AJAX with OpenID, since none of the responses are in XML > format .. it relies entirely on GET or POST redirection, not to > mention that you have to make cross-domain requests which > XmlHttpRequest will not do without extra security privileges. >
I think the spec is misusing the AJAX abbreviation a bit here, since the usual approach to doing this doesn't involve XMLHttpRequest at all, but instead works something like this: * Create hidden IFRAME in document and point it at OpenID RP endpoint on your site. * RP endpoint redirects (in the IFRAME) to the OP with mode=checkid_immediate, which instructs the OP to fail immediately if it needs to display any UI. * If OP needs to display an "are you sure?" page { * it redirects back to the RP endpoint (still in the IFRAME) and indicates that an immediate request was not possible. * the RP endpoint generates some HTML containing script that fires a callback in the containing page which causes it to do a normal redirect-dance OpenID request. This is often done in a new window to avoid disrupting whatever process started the OpenID auth request. } * Else { * OP redirects back to the RP endpoint (still in the IFRAME) including the signature and all the other fun stuff you get on success. * the RP endpoint generates some HTML containing script that fires a callback in the containing page which does something like starting a session, putting the openid sig in the form to be validated later, or some other such action. (or maybe it just says "auth succeeded!" and the server validates it once the form is submitted.) } So no, this isn't really AJAX in the usual sense. As you noted, you can't do OpenID Auth client-side with XMLHttpRequest because of the same-origin restriction. You also can't do OpenID on the server because then the user's session cookie won't end up at the OP during the request. It still achieves the desired effect of doing an OpenID auth request without disturbing the current page, though. _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs