Simplifying OpenId
S. Alexander Jacobson
alex at alexjacobson.com
Fri Jan 6 19:17:51 UTC 2006
I apologize in advance if this is a FAQ, but I just read finally took
the time to read through the OpenId spec more carefully and it seems
overly complex for what it is trying to accomplish. Why not get rid
of all the complex message formats and non-opaque URLs and do
something like this:
1. Consumer recieves openid_url [1]
POST consumer
content-type: application/x-www-form-urlencoded
openid_url=bob.com
2. Consumer retreives openid.server for this openid_url [2]
GET openid_url
200 OK
.*<head>.*<link\s+rel="openid.server"\s+href="http://serverURL"\s*/?>.*</head>.*
3. Consumer establishes is_user URL with server and gets back redirect URL
POST http://serverURL
content-type: application/x-www-form-urlencoded
is_user=http://is_user_URL
201 CREATED
Location: http://redirect
4. Consumer redirects UA to redirect URL.
301 http://redirect
5. Consumer trusts user has openId if it receives a
GET is_user_URL
-Alex-
[1] Need some way to handle whether this GET is against http or https
and, if the later, what CAs are recognized by both user and consumer.
[2] OpenId sample documentation on openid.net don't close the link
tag, but, perhaps, should.
______________________________________________________________
S. Alexander Jacobson tel:917-770-6565 http://alexjacobson.com
More information about the yadis
mailing list