Rowan Kerr wrote:
>
> Also, the spec mentions AJAX interactions, but I don't see how you can
> actually use AJAX with OpenID, since none of the responses are in XML
> format .. it relies entirely on GET or POST redirection, not to
> mention that you have to make cross-domain requests which
> XmlHttpRequest will not do without extra security privileges.
>
I think the spec is misusing the AJAX abbreviation a bit here, since the
usual approach to doing this doesn't involve XMLHttpRequest at all, but
instead works something like this:
* Create hidden IFRAME in document and point it at OpenID RP endpoint
on your site.
* RP endpoint redirects (in the IFRAME) to the OP with
mode=checkid_immediate, which instructs the OP to fail immediately if it
needs to display any UI.
* If OP needs to display an "are you sure?" page {
* it redirects back to the RP endpoint (still in the IFRAME) and
indicates that an immediate request was not possible.
* the RP endpoint generates some HTML containing script that fires
a callback in the containing page which causes it to do a normal
redirect-dance OpenID request. This is often done in a new window to
avoid disrupting whatever process started the OpenID auth request.
}
* Else {
* OP redirects back to the RP endpoint (still in the IFRAME)
including the signature and all the other fun stuff you get on success.
* the RP endpoint generates some HTML containing script that fires
a callback in the containing page which does something like starting a
session, putting the openid sig in the form to be validated later, or
some other such action. (or maybe it just says "auth succeeded!" and the
server validates it once the form is submitted.)
}
So no, this isn't really AJAX in the usual sense. As you noted, you
can't do OpenID Auth client-side with XMLHttpRequest because of the
same-origin restriction. You also can't do OpenID on the server because
then the user's session cookie won't end up at the OP during the
request. It still achieves the desired effect of doing an OpenID auth
request without disturbing the current page, though.
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
