On 12-Oct-06, at 12:10 PM, Recordon, David wrote:
> We thus believe that any state tracking needed by a stateless RP  
> must be maintained as GET parameters within the return_to  
> argument.  In the case of a stateful RP, it can either do the same  
> thing, or store state via other means such as using a session id  
> within a cookie to reference database data.
So basically the query string of the return_to parameter is used to  
implement pass through parameters.

Why not require that unknown parameters be passed through? This way  
the return_url is clean and it can be persisted (for bookmarking for  
example) and there are no size limitations.

If passing through all unrecognized parameters can cause problems  
then there could be a special namespace for this purpose. For  
example, all parameters with names starting with openid.pass. should  
be ignored by the IdP and passed back to the RP.


specs mailing list

Reply via email to