AJAX/Simple Combo Demo
Martin Atkins
mart at degeneration.co.uk
Fri May 20 09:27:18 PDT 2005
Brad's demo has two separate forms: one for AJAX mode, and one for the
simple (or "Classic") redirect mode.
I've now made a demo which does both from the same form, transparently
to the user:
<http://goathack.livejournal.org:9016/openid>
(Apologies for the non-standard port; depressingly, that's the only site
I have to host that on right now.)
One thing that creating this has made very clear to me is that there are
lots of things that implementers must be careful with to avoid
cross-site scripting attacks. Both Brad's demo and my demo have a few
cases where they just show any old values supplied by the ID server with
no HTML escaping.
My demo is again restricted only to LiveJournal logins, since I don't
have Brad's paranoid version of LWP::UserAgent.
Those of you who are brave enough to venture into my nasty Perl code can
find the source code (for now) here:
<http://goathack.livejournal.org:9016/openid.txt>
------------------------------
In practice, a few things would probably be done differently. The main
thing is that the OpenID stuff would in many cases be part of another
form. Many sites won't actually support "logging in" as such, but will
instead just supply a comment form with an OpenID field for one-time use.
Theoretically, the OpenID token fetching (in classic mode) could happen
in the same request as the comment posting, though that would either
lead to some really long return_urls or the need for the consumer to
retain some state and put a token in the return_url to match the
response. This needs to be thought about, as having the user submit the
form twice -- or indeed, submit two separate forms -- will confuse or
concern plenty of people.
More information about the yadis
mailing list