On Sat, 18 Nov 2006, John Kemp wrote: > Dick Hardt wrote: > >> > >> But why deprecate support for redirects? I'd (still) like to see OpenID > >> implementations that do support browsers without JS turned on . > > > > > > As stated a number of times, because the payload is not big enough with > > GET redirects. It is with JS POST redirects.
The alternative is to say OpenID can't pass big messages in core protocol messages and there could be an extension for how to do it out-of-band when needed. > > OpenID 1.1 did not have a large payload. We expect the payloads to be > > much larger with OpenID 2.0. > > I guess the payload size will vary according to the RP and IdP > implementations, no? Exactly. In the common case, they'll be small, easily within a GET request. But we're throwing out the common case and designing for the hypothetical cases. *sigh* > > We will see if the JS requirement is an issue. I do not think it is > > given what I know now. > > Well, admittedly, if no-one except me thinks that redirects should be > supported in OpenID 2.0, then I certainly expect to lose that argument ;) I hate making GET deprecated. I don't mind POST also existing (well, I do mind, but not enough to fight it), but I definitely think GET needs to stay as a equally recommended method. I hate the idea of JavaScript being necessary for a simple auth request. - Brad _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs