cachability of delegated identity URLs

Paul Crowley paul at
Thu Jun 9 00:07:12 PDT 2005

Brad Fitzpatrick wrote:
> The ugly solution is for consumers to put it in their return_to URL, and
> have it outside the openid spec.  (or set it in that user's anonymous
> session already created on  However, as it's something each
> and every consumer would have to do in their own way, that's where I draw
> that line at saying it should be part of the spec and given an "openid."
> prefix.

I don't like it, and I think it's a small minority of consumers that 
will need this.  Most consumers will start by creating a cookie-based 
session for each user, and store things like this in there.  When the 
reply comes from the server, they'll already know what the user was 
trying to log in as, and what reply they need from the server to let 
them in; they won't have to look anything up in a cache, it'll be right 
there in their session.   Other consumers could explicitly set it in a 
cookie, and look it up when they get their reply.  Those few consumers 
which really do need it in the GET parameters the server arranges for 
them to have can very easily put it there themselves; the spec makes it 
very clear that they have that option for anything they need to 
remember.  I think best to leave it out.
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list