Arguments passed with openid.mode=id_res incomplete?

Brad Fitzpatrick brad at danga.com
Thu Jun 16 01:33:35 PDT 2005


On Thu, 16 Jun 2005, Martin Atkins wrote:

> Grant Monroe wrote:
> > On 6/15/05, Martin Atkins <mart at degeneration.co.uk> wrote:
> >
> >>The server must retrieve the document from the identity URL again to
> >>discover the identity server URL. This step is important because
> >>otherwise I could have my identity server assert your identity. This
> >>extra bit of hoop-jumping ensures that the identity URL does indeed
> >>declare a particular identity server as trusted.
> >>
> >
> >
> > If this is the case, then this extra request should probably be added
> > to the spec.
>
> (I'm guessing you intended your reply to go to the list)
>
> The extra request isn't necessarily required. Many more beefy consumers
> will no doubt store some tracking information and put some kind of token
> in the return URL so that they don't have to retrieve the identity URL a
> second time.
>
> However, you're right that there should be some words about the
> different options consumers have for this point in the transaction.

Or will cache the identity URL document, as Net::OpenID::Consumer does, if
you give it a $cache object.

- Brad

>
>


More information about the yadis mailing list