Field separators
Brad Fitzpatrick
brad at danga.com
Sun Jun 5 13:45:18 PDT 2005
On Sun, 5 Jun 2005, Paul Crowley wrote:
> The contents end up being doubly-URL-encoded, and the return URL is sent
> twice, and you have to be able to decode x-www-form-urlencoding on
> something that isn't directly a GET request, but it means that you've
> got a simple assertion of "here's what was authenticated, and here's the
> authentication" - you don't have to piece together what was
> authenticated yourself. And it means if we want to add more to that
> assertion, we can.
Nice in theory. The doubly-URL-encoded and forcing consumers to parse
something that their web environment would otherwise do for them is the
ugly part, though.
> There are things not to like about this proposal, so if anyone can come
> up with a simpler/easier way that we can vary the fields in what is
> authenticated without breaking everything I'm keen to know...
How about this:
openid.signature_is_over=return_to,assert_identity,foo,bar
So you just split on /,/, then go over those tokens (which can't contain
anything but \w) and concatenate the values of "openid.<token>\n" together
and check the signature on that.
So no double-URL escaping, but achieves the same goal.
- Brad
More information about the yadis
mailing list