Monday, 26 February 2007« Firebug 1.0 | Main | Virtual machines »
Unless I’m missing something.
For a coincidence (I really don't remember what drove me to do it), a while ago I register to MyOpenID and so now I can identify myself as piccinini.myopenid.com and, trough delegation, as superfluo.org.
which, if no other, is pretty cool (in response to Tim Bray's What Could I Use It For Today? question ;-) ).
But I'm missing something about OpenID too and I'm going to share these doubts with my readers (have I readers??!!).
A short story: I discovered OpenID about 6 month ago while I was evaluating authentication methods for a new public web application. It immediately appeared to me as a very clever and exciting idea so I would be happy to adopt it. From another side, I wanted to follow a REST architectural style and these two requisites seemed to me very hard to conciliate and so, having already enough problems in my ToDo list, I gave up with OpenID.
Back to present, I still retain that it's a great idea but I wonder how can it be used RESTfully. Let me explain why in 4 steps:
- to obey the RESTful principles your application should be stateless;
- this means that you haven't a user session where to save authentication credentials;
- this, in turn, implies that you have to authenticate every request;
- if OpenId is part of the game, this means that for every request you have to contact an OpenId server to check the user credentials. In my opinion this is impracticable in most of the real situations.
Obviously I could be completely wrong, am I? In such case, how is it possible to use OpenID in a RESTful way? Back when I did my first evaluation I searched quickly (very very quickly, honestly speaking) but found nothing.