Field separators

Brad Fitzpatrick brad at danga.com
Sun Jun 5 13:45:18 PDT 2005


On Sun, 5 Jun 2005, Paul Crowley wrote:

> The contents end up being doubly-URL-encoded, and the return URL is sent
> twice, and you have to be able to decode x-www-form-urlencoding on
> something that isn't directly a GET request, but it means that you've
> got a simple assertion of "here's what was authenticated, and here's the
> authentication" - you don't have to piece together what was
> authenticated yourself.  And it means if we want to add more to that
> assertion, we can.

Nice in theory.  The doubly-URL-encoded and forcing consumers to parse
something that their web environment would otherwise do for them is the
ugly part, though.

> There are things not to like about this proposal, so if anyone can come
> up with a simpler/easier way that we can vary the fields in what is
> authenticated without breaking everything I'm keen to know...

How about this:

openid.signature_is_over=return_to,assert_identity,foo,bar

So you just split on /,/, then go over those tokens (which can't contain
anything but \w) and concatenate the values of "openid.<token>\n" together
and check the signature on that.

So no double-URL escaping, but achieves the same goal.

- Brad



More information about the yadis mailing list