Non-recoverable auth failure?

Carl Howells chowells at
Thu Jun 23 16:18:28 PDT 2005

Martin Atkins wrote:
> Oh, I understand where you are coming from now. What you are talking
> about is less a non-recoverable auth failure and more just a "go back to
> whatever you were doing" request. For most consumers, I'd imagine that
> this will return to the login form or to whatever page the user clicked
> "Log in with OpenID!" on, possibly displaying a generic "OpenID login
> cancelled" error message.
> I don't really see any reason not to make this part of the spec, with
> the proviso that it *only* means "cancel the OpenID login" and not any
> other extra stuff like "this login will never work again", "this account
> is currently suspended" or any such thing. It just means "user
> cancelled". It just requires the ID server to redirect to the return URL
> with mode=cancel.
> Sound reasonable?

Hmm.  Yes, it would have been more clear if I'd thought to phrase it 
that way initially.  That proposal would definately work for me.  How 
about for our benevolent protocol and security dictators?

And any thoughts (from anyone) on on my proposed change to the use of 
the user_setup_url after using checkid_immediate?


More information about the yadis mailing list