On Wed, Mar 25, 2009 at 3:33 AM, Luke Shepard <lshep...@facebook.com> wrote: > One crude way to do it would be to have the caller specify that they want > the return_to args simply appended instead of integrated into the URL- > perhaps an argument like openid.append_return_to_params=true. But that > sounds hackish and I’d love to hear feedback on a better way to do this.
How would this interact with OpenID providers that respond via a POST request instead of a GET? This is something they are permitted to do according to the spec, and may decide to do so even if the authentication request was started with a GET if the response is large enough. If it helps, you could reproduce such a response with a form like: <form action="http://open.lukeshepard.com/openid_receiver.html?query#hash" method="post" accept-charset="UTF-8"> <input type="hidden" name="openid.ns" value="..."> ... <input type="submit" value="Submit"> </form> This proposal sounds like something that will work most of the time but fail in a number of valid cases. It'd be nice to support the popup based authentication workflow well, but I am not convinced that relying on this quirk is the right way to do so. James. _______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs