On 12-Oct-06, at 12:10 PM, Recordon, David wrote: > We thus believe that any state tracking needed by a stateless RP > must be maintained as GET parameters within the return_to > argument. In the case of a stateful RP, it can either do the same > thing, or store state via other means such as using a session id > within a cookie to reference database data. So basically the query string of the return_to parameter is used to implement pass through parameters.
Why not require that unknown parameters be passed through? This way the return_url is clean and it can be persisted (for bookmarking for example) and there are no size limitations. If passing through all unrecognized parameters can cause problems then there could be a special namespace for this purpose. For example, all parameters with names starting with openid.pass. should be ignored by the IdP and passed back to the RP. Marius _______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs