On 9/26/2010 11:45 PM, R. David Murray wrote: > On Sun, 26 Sep 2010 21:56:20 -0400, Scott Dial > <scott+python-...@scottdial.com> wrote: >> On 9/26/2010 3:12 AM, Martin v. Loewis wrote: >>> Preventing the browser from prompting the user on the chance they >>> might want to enter an OpenID is not possible, and stopping to use >>> basic authentication is not feasible. >> >> In theory, you could catch usernames that started with "http://";, but I > > No, Martin really meant "not possible": once basic auth is started, > the browser prompts for username and password and you are in basic-auth > land thereafter; the web server has *no way* to tell the browser to > *stop* using basic auth.
I agree that once you reply with a 401 that you will prompt the user, but my point was what "username" means in the Authorization header is open to interpretation by the HTTP server and/or script handling the GET request. >> imagine that only "ultra geeks" know their URIs (I have no idea what the >> URI for a Google account is). But, I don't see this as being worthwhile > > Well, my OpenId is 'david.bitdance.com', so even if you could get around > the basic auth problem, looking for "http://"; wouldn't work. That's actually not a valid OpenID[1], but the OpenID specification says a relaying party "MUST" normalize identifiers[2] (in this case, prepending the "http://";). I believe bugs.python.org does this by checking for a username first(?), and failing any matches, it normalizes it for OpenID discovery. Otherwise, I can always use the canonical form of my ID "http://scottdial.com"; to login (assuming ':' and '/' are illegal characters for usernames). I say all this not with the intent of saying pypi *needs* this, but to refute the notion that OpenID must be clumsy to use. [1] http://openid.net/specs/openid-authentication-2_0.html """ Identifier: An Identifier is either a "http" or "https" URI, (commonly referred to as a "URL" within this document), or an XRI (Reed, D. and D. McAlpin, “Extensible Resource Identifier (XRI) Syntax V2.0,” .) [XRI_Syntax_2.0]. """ [2] http://openid.net/specs/openid-authentication-2_0.html#normalization """ 3. Otherwise, the input SHOULD be treated as an http URL; if it does not include a "http" or "https" scheme, the Identifier MUST be prefixed with the string "http://";. If the URL contains a fragment part, it MUST be stripped off together with the fragment delimiter character "#". See Section 11.5.2 (HTTP and HTTPS URL Identifiers) for more information. """ -- Scott Dial sc...@scottdial.com scod...@cs.indiana.edu _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
