> No, Martin really meant "not possible": once basic auth is started, > the browser prompts for username and password and you are in basic-auth > land thereafter; the web server has *no way* to tell the browser to > *stop* using basic auth.
Yes, but Scott proposed that OpenID users might fill in their OpenID in the username field and leave the password field empty. Technically, this would work - the browser would then get the OpenID redirect in response to the original request. >> imagine that only "ultra geeks" know their URIs (I have no idea what the >> URI for a Google account is). But, I don't see this as being worthwhile > > Well, my OpenId is 'david.bitdance.com', so even if you could get around > the basic auth problem, looking for "http://"; wouldn't work. Sure - however, it would actually be possible to determine that this is an OpenID: perform discovery on it. If that succeeds, try to establish a provider association; if that also succeeds, redirect the user to the OpenID login process. However, I'd rather not do that, since OpenID users don't expect that kind of interface. Providing OpenID links on the login failure 401 response is reasonable, though. Regards, Martin _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
