Andrew, The way I am writing the Artifact Binding draft is such that the RP always uses POST to communicate directly with OP. RP obtains the Artifact by POSTing request to the OP. Note that a different nonce should result in different artifact.
Then the Artifact is redirected via GET to the OP through the browser. The OP returns another artifact (which can be the same with the requested artifact). Ideally, there should be a one-to-one mapping between the request Artifact and the response Artifact. (One easy way is to make them the same.) Then the GET has no side effect on that request and thus does not violate HTTP. The RP, upon receipt of the response Artifact, will POST it to the OP to obtain the assertion. If it was the first time, then it will get a positive assertion. If it was a repeated POST, then a negative assertion will be returned. Since it is a POST, it should be OK for the request to have side effects. Cheers, =nat On Thu, Jan 28, 2010 at 8:57 AM, Andrew Arnott <[email protected]>wrote: > > > John, > Remember the argument I'm making is not "how do we get GET to work better" > but "how do we stop using GET and switch to POST", since that will alleviate > the nonce reuse problem. Coming up with craftier ways of using GET is > moving in the wrong direction IMO. I'd like to see OpenID move to an > all-POST protocol, and solve the HTTP-HTTPS boundary problem. > > Even with artifact binding moving the nonce outside the browser redirect > URL, if only one GET is allowed because the artifact is a usable-once-only > token, then it's not a GET--it's a POST by HTTP definition. > > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs > > -- Nat Sakimura (=nat) http://www.sakimura.org/en/ http://twitter.com/_nat_en
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
