Re: DRAFT 11 - FINAL?
On 1/30/07, Josh Hoyt [EMAIL PROTECTED] wrote: *snip* While it is true that since the link relationship names changed, the openid2 is technically redundant, I think it is much clearer to everybody what is going on if the link relationship contains the version number. If the protocol version were to keep changing, I'd argue for a different solution. Sure, that's good enough reason. Since html discovery is not really the preferred method anyway, I don't think the openid2.* links should stand in the way of finalizing the spec :) -Rowan ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: DRAFT 11 - FINAL?
I'm happy changing it from AJAX. I think it was originally used since AJAX is a bit overloaded already and people normally understand the flashy non-reloading sort of thing when saying it. --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rowan Kerr Sent: Wednesday, January 31, 2007 12:50 PM To: specs@openid.net Subject: Re: DRAFT 11 - FINAL? On 1/31/07, Martin Atkins [EMAIL PROTECTED] wrote: I think the spec is misusing the AJAX abbreviation a bit here, since the usual approach to doing this doesn't involve XMLHttpRequest at all, but instead works something like this: *snip* Yeah I've implemented a pure javascript demo this way (which works if the OP does a http redirect back to the RP instead of submitting a form). So no, this isn't really AJAX in the usual sense. As you noted, you can't do OpenID Auth client-side with XMLHttpRequest because of the same-origin restriction. You also can't do OpenID on the server because then the user's session cookie won't end up at the OP during the request. It still achieves the desired effect of doing an OpenID auth request without disturbing the current page, though. So should wording other than AJAX be used in the spec? Or do we just point to an explanation on the wiki. -Rowan ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: DRAFT 11 - FINAL?
On 1/31/07, Recordon, David [EMAIL PROTECTED] wrote: I'm happy changing it from AJAX. I think it was originally used since AJAX is a bit overloaded already and people normally understand the flashy non-reloading sort of thing when saying it. I suppose some people might, but for a developer (the kind of people most likely to end up implementing the spec), AJAX has a specific definition, and implies specific techniques that cannot actually be used with OpenID. Or perhaps I'm being too pedantic but there must be a more general term that wouldn't have the potential to cause such confusion. -Rowan ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: DRAFT 11 - FINAL? openid2
Supporting point 2 (user with a v1 OP and a *separate* v2 OP) seems a bit unnecessary. A single OP can support v1 and v2 RPs at the same time. Point 2 is the sort of corner-case that can be supported by a yardis file, but needn’t be supported by the simple HTML discovery alternative. My vote would be to keep openid.server and openid.delegate (instead of openid2.provider and openid2.local_id) and add openid.version. P.S. The spec should talk about link …/, instead of LINK …, elements. It does this in the §A.4 “HTML Identifier Markup” example, but not in §7.3.3 “HTML-based discovery”. Version 1.1 used link …; HTML is case-insensitive so link … is ok; XHTML is case-sensitive so LINK …/ is not acceptable. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Hoyt Sent: Wednesday, 31 January 2007 12:50 PM To: Recordon, David Cc: specs@openid.net Subject: Re: DRAFT 11 - FINAL? On 1/30/07, Recordon, David [EMAIL PROTECTED] wrote: Yeah, I'm not a big fan of openid2.* though it was the simplest method of fixing up HTML discovery to work with multiple protocol versions. I know Josh thought about this more than I did though. 1. Before authentication is initiated, the RP needs to determine what the protocol is. This could be done via discovery on the OP, but there has been general rejection of adding yet another discovery step. 2. A user may have one service that provides OpenID 1 and another that provides OpenID 2. If this is the case, then the version information needs to be bound to the link tag that contains the information. Given (1), the information needs to be embedded in the HTML markup. Given (2), the information needs to be tied to the specific link tag. For example: link rel=openid.server href=http://op.example.com/openid1; link rel=openid2.provider href=http://op.example.com/openid2; vs. link rel=openid.server href=http://op.example.com/openid1; link rel=openid.provider href=http://op.example.com/openid2; link rel=openid.protocol_version href=http://specs.openid.net/auth/2.0; While it is true that since the link relationship names changed, the openid2 is technically redundant, I think it is much clearer to everybody what is going on if the link relationship contains the version number. If the protocol version were to keep changing, I'd argue for a different solution. Josh ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: DRAFT 11 - FINAL?
The openid2.* links bug me a little.. but due to no openid.ns being defined in the 1.x protocol, maybe there is no other way to specify by HTML discovery that your OP is 2.0 capable. Would it be bad to have a openid.version link instead? Also, the spec mentions AJAX interactions, but I don't see how you can actually use AJAX with OpenID, since none of the responses are in XML format .. it relies entirely on GET or POST redirection, not to mention that you have to make cross-domain requests which XmlHttpRequest will not do without extra security privileges. (Or am I missing something?) -Rowan ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: DRAFT 11 - FINAL?
Yeah, I'm not a big fan of openid2.* though it was the simplest method of fixing up HTML discovery to work with multiple protocol versions. I know Josh thought about this more than I did though. From what I've seen people do, it is AJAX between your server and application, then OpenID's checkid_immediate between the server and OP, with an AJAX response from your server to application. --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rowan Kerr Sent: Tuesday, January 30, 2007 2:02 PM To: specs@openid.net Subject: Re: DRAFT 11 - FINAL? The openid2.* links bug me a little.. but due to no openid.ns being defined in the 1.x protocol, maybe there is no other way to specify by HTML discovery that your OP is 2.0 capable. Would it be bad to have a openid.version link instead? Also, the spec mentions AJAX interactions, but I don't see how you can actually use AJAX with OpenID, since none of the responses are in XML format .. it relies entirely on GET or POST redirection, not to mention that you have to make cross-domain requests which XmlHttpRequest will not do without extra security privileges. (Or am I missing something?) -Rowan ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: DRAFT 11 - FINAL?
On 1/30/07, Recordon, David [EMAIL PROTECTED] wrote: Yeah, I'm not a big fan of openid2.* though it was the simplest method of fixing up HTML discovery to work with multiple protocol versions. I know Josh thought about this more than I did though. 1. Before authentication is initiated, the RP needs to determine what the protocol is. This could be done via discovery on the OP, but there has been general rejection of adding yet another discovery step. 2. A user may have one service that provides OpenID 1 and another that provides OpenID 2. If this is the case, then the version information needs to be bound to the link tag that contains the information. Given (1), the information needs to be embedded in the HTML markup. Given (2), the information needs to be tied to the specific link tag. For example: link rel=openid.server href=http://op.example.com/openid1; link rel=openid2.provider href=http://op.example.com/openid2; vs. link rel=openid.server href=http://op.example.com/openid1; link rel=openid.provider href=http://op.example.com/openid2; link rel=openid.protocol_version href=http://specs.openid.net/auth/2.0; While it is true that since the link relationship names changed, the openid2 is technically redundant, I think it is much clearer to everybody what is going on if the link relationship contains the version number. If the protocol version were to keep changing, I'd argue for a different solution. Josh ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
DRAFT 11 - FINAL?
Hey List To deal with the recent security concern postings about OpenID, language was added to clarify a secure channel is needed between the OP and the end-user's machine. Are there any more issues with this specification: http://openid.net/specs/openid-authentication-2_0-11.html Can we make this final? -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: DRAFT 11 - FINAL?
Considering draft 11 hasn't been published yet, I don't see how we can make it final at this point. In addition, the file you link to is a few patches old. While I appreciate your enthusiasm, Josh, Johnny, and I do have a process to this madness. I know you know that we're really close, there is one remaining issue Josh, Drummond, and I are tackling this afternoon, and then we'll publish draft 11. Thanks, --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dick Hardt Sent: Thursday, January 18, 2007 3:45 PM To: specs@openid.net Subject: DRAFT 11 - FINAL? Hey List To deal with the recent security concern postings about OpenID, language was added to clarify a secure channel is needed between the OP and the end-user's machine. Are there any more issues with this specification: http://openid.net/specs/openid-authentication-2_0-11.html Can we make this final? -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: DRAFT 11 - FINAL?
OK -- would it be possible to keep the list apprised of the progress and post the issue and resolution once you are done this afternoon? -- Dick On 18-Jan-07, at 3:55 PM, Recordon, David wrote: Considering draft 11 hasn't been published yet, I don't see how we can make it final at this point. In addition, the file you link to is a few patches old. While I appreciate your enthusiasm, Josh, Johnny, and I do have a process to this madness. I know you know that we're really close, there is one remaining issue Josh, Drummond, and I are tackling this afternoon, and then we'll publish draft 11. Thanks, --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dick Hardt Sent: Thursday, January 18, 2007 3:45 PM To: specs@openid.net Subject: DRAFT 11 - FINAL? Hey List To deal with the recent security concern postings about OpenID, language was added to clarify a secure channel is needed between the OP and the end-user's machine. Are there any more issues with this specification: http://openid.net/specs/openid-authentication-2_0-11.html Can we make this final? -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs