Hi Manuel, FYI, your human friendly version of the Artifact Binding Spec proposal is https://openid4.us/specs/ab/ . It will change a few things before going to be final:
1. Change the signature to JWT that is supposed to come out this week or so. 2. Split the spec into the core, binding, and profiles so that it will share the same core as Connect. Nat Sakimura P.S. Actual spec archive is at http://bitbucket.org/openid/ab/ On Tue, Dec 7, 2010 at 9:59 AM, Breno de Medeiros <[email protected]> wrote: > On Mon, Dec 6, 2010 at 16:41, Manuel Lemos <[email protected]> wrote: > > Hello, > > > > I have developed my implementation of OpenID (consumer and provider). In > > general works well and it has been used in sites use that authenticate > > hundreds of thousands of users. > > > > The problem is that once in a while I get warnings from my system > regarding > > missing required attributes or invalided signatures. > > > > Looking closer at the problem I realized that in some cases the OpenID > > provider redirects the users back to the consumer sites but the user > > browsers are truncating URLs apparently at 400 characters. > > This could happen in some mobile devices. > > There are, AFAIK, only a few approaches to address this problem. > > - Choose to not support such user agents. > > - Providers might add detection for the problematic user-agents and > change their handling to use a POST redirect. But keep in mind that > this fix still is short of ideal: > -- Sometimes these devices also not support javascript, in which case > POST redirects require an additional confirmation dialog. > -- POST redirect from https to http result in scary warning dialogs in > some browsers. Avoiding this warning requires providers to invent some > proprietary redirect with short URLs from the https location to an > http location and start the POST operation from the http location. A > better solution would be for RPs to implement SSL return_to URLs, but > this has not been often done. > > - OpenID might define an 'artifact'-type workflow, as for instance, > the one proposed by the Artifact Binding WG, and shorten URLs of both > requests and responses to below 400 characters. > > > > > Anybody experienced this problem? > > > > Admittedly I may have missed something in the spec documents, but is > there > > anything in the specs that provides a solution to avoid redirecting > browsers > > to such long URLs? > > > > -- > > > > Regards, > > Manuel Lemos > > > > JS Classes - Free ready to use OOP components written in JavaScript > > http://www.jsclasses.org/ > > _______________________________________________ > > specs mailing list > > [email protected] > > http://lists.openid.net/mailman/listinfo/openid-specs > > > > > > -- > --Breno > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs > -- Nat Sakimura (=nat) http://www.sakimura.org/en/ http://twitter.com/_nat_en
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
