Comments on: On Mobile OpenID in Japan http://dready.org/blog/2009/01/02/mobile-openid-in-japan/ musings on internationalized identifiers: domain names, OpenID, TLDs Sun, 14 Mar 2010 21:20:50 +0000 http://wordpress.org/?v=2.6.2 By: wil http://dready.org/blog/2009/01/02/mobile-openid-in-japan/#comment-27831 wil Mon, 05 Jan 2009 12:46:45 +0000 http://dready.org/blog/?p=190#comment-27831 I too wonder if this situation is unique to the Japanese mobile market. Korean mobile carriers come to mind (in terms of how customized the network can be.) At least for DoCoMo, I believe the restrictions are applied at the imode gateways. However, the distinction of where the limitations live may not be so relevant since Japanese mobile carriers pretty much dictate the design specifications for the device lineups. Using POST for authentication responses will probably work if implementations are following the spec, i.e. looks in both the query string as well as POST body. It needs to be verified. I'm going to try it out in the next few days and report back. I too wonder if this situation is unique to the Japanese mobile market. Korean mobile carriers come to mind (in terms of how customized the network can be.)

At least for DoCoMo, I believe the restrictions are applied at the imode gateways. However, the distinction of where the limitations live may not be so relevant since Japanese mobile carriers pretty much dictate the design specifications for the device lineups.

Using POST for authentication responses will probably work if implementations are following the spec, i.e. looks in both the query string as well as POST body. It needs to be verified.

I’m going to try it out in the next few days and report back.

]]> By: Martin Atkins http://dready.org/blog/2009/01/02/mobile-openid-in-japan/#comment-27811 Martin Atkins Sat, 03 Jan 2009 03:55:31 +0000 http://dready.org/blog/?p=190#comment-27811 This is really useful research. I wonder how much of this applies outside the Japanese mobile market, and whether these limitations are on the device or in the network itself. One thing that should be noted is that OpenID 2.0 *does* allow the responses to be transmitted as POST requests. There is the problem that this is under the control of the OP, but if the OP is modified to support doing authentication with subscriber ID then presumably it can also be modified to respond with a POST request when it does this. Some libraries will of course need to be modified since currently most do not allow the caller to choose between GET and POST explicitly. This is really useful research. I wonder how much of this applies outside the Japanese mobile market, and whether these limitations are on the device or in the network itself.

One thing that should be noted is that OpenID 2.0 *does* allow the responses to be transmitted as POST requests. There is the problem that this is under the control of the OP, but if the OP is modified to support doing authentication with subscriber ID then presumably it can also be modified to respond with a POST request when it does this.

Some libraries will of course need to be modified since currently most do not allow the caller to choose between GET and POST explicitly.

]]>