[cl-openid-devel] Re: meaning of immediate authentication request
Maciek Pasternacki
maciej at pasternacki.net
Wed Jul 9 21:46:33 UTC 2008
Hello,
On Thu, 2008-07-10 at 00:21 +0300, Anton Vodonosov wrote:
> What I do not understand from the spec is immediate authentication
> requests.
>
> Could you explain me? How could OpenID Provider return positive
> authentication reply in response to a query containing essentially
> just a user name without any password, etc?
Immediate authentication request is still an indirect request, i.e. a
redirect for authenticated user's browser. So the OP may be able to
authenticate end user by e.g. IP, cookies, HTTPS client certficate (like
in http://certifi.ca/ provider), and so on. The immediate request is
just an indication that OP should not attempt to interact with end user.
> What is a real word scenario for this?
E.g. some shiny AJAX OpenID login widget that allows user to log in
without reloading the page. User inputs ID in Ajax widget, the
JavaScript's XMLHTTPRequest is redirected (30x status) to OP, then
immediately 30x back to RP with either positive assertion, or
setup_needed. In second case, RP returns to JavaScript that
authentication was not successful, and that JS should attempt to reload
whole page for the interactive checkid_setup request.
If in such scenario OP attempted to interact with end user, the
XMLHTTPRequest would only got some HTML garbage and wouldn't know what
to do with it.
Regards,
Maciek.
--
-><- Maciej 'japhy' Pasternacki -><- http://www.pasternacki.net/ -><-
More information about the cl-openid-devel
mailing list