Non-recoverable auth failure?
paul at ciphergoth.org
Thu Jun 23 23:37:00 PDT 2005
Carl Howells wrote:
> It would still be required that the trust_root, identity, and assoc_handle be
> encoded in the user_setup_url. It feels kind of silly for the server to be
> telling itself those things. I'm starting to believe the whole user_setup_url
> thing is a really confusing idea as currently designed, and Paul had exactly
> the right idea. Instead of taking the one small step I've described here to
> simplify things, maybe it would be better to go all-out, and say that the
> correct behavior is to just make a full checkid_setup call using the
> user_setup_url as the server url.
> This would still preserve all existing functionality, and probably be simpler
> yet, conceptially. It is a bit more of a radical change, though.
That wasn't my proposal - my proposal was to abolish user_setup_url, and
just reply "denied", at which point the consumer tries again using
checkid_setup (in a popup, or an iframe, or whatever) with the same
server url and an appropriate return_to url.
To me this looks like a grand simplification and an increase in power at
a single swift stroke, but I know that I'm outside of my field of
expertise here. There are now four proposals: the spec, your proposal,
your version of my proposal, and my original proposal. There certainly
might be reasons to prefer any of the other three to my fourth that I
don't know about.
\/ o\ Paul Crowley, paul at ciphergoth.org
More information about the yadis