chowells at janrain.com
Tue Jun 14 17:51:05 PDT 2005
The one current empty space in the openid spec seems to be what the
various pieces do for error conditions.
For example, what is the correct behavior when an openid server is
contacted with a parameter of "openid.mode=checkid_immediat"? That's
not a valid value for the openid.mode parameter, so what should be done?
Return a 404? A 500?
Assuming the consumer sent that as a typo or coding error, rather than
some sort of malicious attack, neither of those behaviors seem friendly.
Would some sort of redirect including an "openid.error" field be the
Nearly everything so far has focused on the behavior of the system when
everything works correctly, and the user is authenticated. There hasn't
been any recent discussion of error-handling, and how the server should
handle failure to authenticate in the various check_id modes.
While those are several entirely separate cases, they need to be
enumerated, and their behavior should be specified. Anyone want to make
a first pass?
More information about the yadis