Simplifying OpenId

S. Alexander Jacobson alex at
Fri Jan 6 19:17:51 UTC 2006

I apologize in advance if this is a FAQ, but I just read finally took 
the time to read through the OpenId spec more carefully and it seems 
overly complex for what it is trying to accomplish.  Why not get rid 
of all the complex message formats and non-opaque URLs and do 
something like this:

1. Consumer recieves openid_url [1]

    POST consumer
    content-type: application/x-www-form-urlencoded

2. Consumer retreives openid.server for this openid_url [2]

    GET openid_url

    200 OK


3. Consumer establishes is_user URL with server and gets back redirect URL

    POST http://serverURL
    content-type: application/x-www-form-urlencoded


    201 CREATED
    Location: http://redirect

4. Consumer redirects UA to redirect URL.

    301 http://redirect

5. Consumer trusts user has openId if it receives a

    GET is_user_URL


[1] Need some way to handle whether this GET is against http or https 
and, if the later, what CAs are recognized by both user and consumer.

[2] OpenId sample documentation on don't close the link 
tag, but, perhaps, should.

S. Alexander Jacobson tel:917-770-6565

More information about the yadis mailing list