On 17-Nov-06, at 7:17 PM, John Kemp wrote: >> - According to the HTTP RFC, user agents receiving a 3XX redirect in >> response to a POST request MUST NOT automatically redirect the >> request. > > Yup, if you use a 302 redirect, which is probably what you'd want, > then > there is that potential. You can use 303 or 307 (as mentioned in 5.2.1 > of draft 10 of the spec.) in order to better control that.
I see that the "MUST NOT automatically" applies to all redirects: 301, 302, 303 and 307 (sections 10.3.2, 10.3.3, 10.3.4, and 10.3.8 of RFC2616). >> - See the note in RFC: even though the user-agents aren't supposed to >> change the method, some perform a GET on the redirect URL, even >> though >> the initial request was a POST. >> >> - In the specific case of OpenID authentication messages, the server >> issuing the redirect needs to send data (the OpenID message) to its >> peer, via the user agent. I don't see how the user-agent can be >> instructed via a redirect to use the POST response at the redirect >> URL. > > Wouldn't the IdP would issue also a 302 redirect with its response > message to the RP? Not to the RP directly; the user-agent would receive the IdP's response, but it wouldn't have a way of POSTing it to the RP. (The same applies to auth request messages, in the opposite direction.) > Of course, the RP would have to remember what > location the user-agent originally requested, in order to give the > right > content to the user-agent. The content (IdP's response) never reaches the RP in this case; it ends up in the user-agent. > As far as I can tell, HTTP redirects are already supported in some > current (pre 2.0) OpenID implementations, so I'm still not sure > what the > problem is with allowing HTTP redirect implementations in OpenID 2.0. HTTP redirects work with pre 2.0 (and 2.0), but only with GET requests and the parameters encoded in the redirect URL. I don't see how HTTP redirects can work with POSTs, which is why I believe the solution was to use POSTs and HTML FORM redirection in 2.0. Johnny _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
