Non-recoverable auth failure?

Carl Howells chowells at
Fri Jun 24 00:18:05 PDT 2005

Quoting Paul Crowley <paul at>:

> That wasn't my proposal - my proposal was to abolish user_setup_url, and
> just reply "denied", at which point the consumer tries again using
> checkid_setup (in a popup, or an iframe, or whatever) with the same
> server url and an appropriate return_to url.
> To me this looks like a grand simplification and an increase in power at
> a single swift stroke, but I know that I'm outside of my field of
> expertise here.  There are now four proposals: the spec, your proposal,
> your version of my proposal, and my original proposal.  There certainly
> might be reasons to prefer any of the other three to my fourth that I
> don't know about.

(Accidently sent my first copy of this to Paul only, sending this one to the

I did understand your proposal, and realized I was modifying it slightly.  The
reason I decided on that modification had to do with one important
consideration.  In normal setup mode, a site knows it will be the whole browser
window, and will probably draw its normal site layout on the openid page, for
branding purposes.  But if it's in an AJAX-style popup or iframe, it will
probably have a lot less screen real-estate available, and want to draw a
minimal version of its dialogs.

If it was able to direct the setup request after a failed immediate mode attempt
to a different url than the one normal setup requests go to, it would allow the
the server to decide what set of widgets to draw based on the url the request
went to.

That consideration is the only reason I modified your proposal for my second


More information about the yadis mailing list