Non-browser Identity Verification

Martin Atkins mart at degeneration.co.uk
Fri May 20 05:18:38 PDT 2005


Brad Fitzpatrick wrote:
> 
> So identity server only supports "Just this once" when it's a local
> service connecting.
> 
> Maybe the return_to_url is:
> 
>     http://127.0.0.1:23423/MusicBrainz
> 
> And then the identity server says:
> 
>     Do you want to trust the application "MusicBrainz" on your local
>     machine to verify your identity?
> 
> Neat, eh?  :)
> 

If this approach is taken, I motion to use the hostname "localhost" 
rather than the IP address. Hardcoding that IP address restricts it spec 
to be used with IPv4, and using IP addresses isn't really in the spirit 
of HTTP anyway.

However, I suppose using the DNS does open up the possibility of an 
unscrupulous admin arranging for "localhost" to resolve to something 
else. I think, though, that if you can't trust your nameserver then 
you've got bigger problems...



More information about the yadis mailing list