[cl-openid-devel] Re: meaning of immediate authentication request

Anton Vodonosov avodonosov at yandex.ru
Wed Jul 9 22:19:06 UTC 2008


I see. Thanks.
10.07.08, 01:46, "Maciek Pasternacki" :

> Hello,
> On Thu, 2008-07-10 at 00:21 +0300, Anton Vodonosov wrote:
> > What I do not understand from the spec is immediate authentication
> > requests.
> > 
> > Could you explain me? How could OpenID Provider return positive
> > authentication reply in response to a query containing essentially
> > just a user name without any password, etc?
> Immediate authentication request is still an indirect request, i.e. a
> redirect for authenticated user's browser.  So the OP may be able to
> authenticate end user by e.g. IP, cookies, HTTPS client certficate (like
> in http://certifi.ca/ provider), and so on.  The immediate request is
> just an indication that OP should not attempt to interact with end user.
> > What is a real word scenario for this?
> E.g. some shiny AJAX OpenID login widget that allows user to log in
> without reloading the page.  User inputs ID in Ajax widget, the
> JavaScript's XMLHTTPRequest is redirected (30x status) to OP, then
> immediately 30x back to RP with either positive assertion, or
> setup_needed.  In second case, RP returns to JavaScript that
> authentication was not successful, and that JS should attempt to reload
> whole page for the interactive checkid_setup request.
> If in such scenario OP attempted to interact with end user, the
> XMLHTTPRequest would only got some HTML garbage and wouldn't know what
> to do with it.
> Regards,
> Maciek.



More information about the cl-openid-devel mailing list