Non-recoverable auth failure?

Paul Crowley paul at
Thu Jun 23 23:37:00 PDT 2005

Carl Howells wrote:
> PS
> It would still be required that the trust_root, identity, and assoc_handle be
> encoded in the user_setup_url.  It feels kind of silly for the server to be
> telling itself those things.  I'm starting to believe the whole user_setup_url
> thing is a really confusing idea as currently designed, and Paul had exactly
> the right idea.  Instead of taking the one small step I've described here to
> simplify things, maybe it would be better to go all-out, and say that the
> correct behavior is to just make a full checkid_setup call using the
> user_setup_url as the server url.
> This would still preserve all existing functionality, and probably be simpler
> yet, conceptially.  It is a bit more of a radical change, though.

That wasn't my proposal - my proposal was to abolish user_setup_url, and 
just reply "denied", at which point the consumer tries again using 
checkid_setup (in a popup, or an iframe, or whatever) with the same 
server url and an appropriate return_to url.

To me this looks like a grand simplification and an increase in power at 
a single swift stroke, but I know that I'm outside of my field of 
expertise here.  There are now four proposals: the spec, your proposal, 
your version of my proposal, and my original proposal.  There certainly 
might be reasons to prefer any of the other three to my fourth that I 
don't know about.
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list