OpenID Connect and browser redirect, the web should get over its HTML hangover

OpenID Connect would have been superb without the annoying notion of html redirect. I despised OAuth2 for that, I jumped on the specifications of OpenID Connect thinking it would have a good answer, and I wasn’t pleased to see that it’s still there. So either vendors have an interest in keeping things that way, or there was an oversight. The latter is implausible, so it’s got to be the former.

When I saw the OpenID Connect announcement my hope just went up that, finally, OAuth2 would be getting a decent replacement and it’s annoying web browser logic would go away. Nope, it seems that’s not the case at all, so I came quickly back down to earth and needed to get this out of my system.

I started reading up OpendID Connect specifications. It looked promising until I got to the point where it mentions redirect URI (section “3.1.2.1. Authentication Request” ), there I froze, shock and horror! I don’t get it, why would a 2014 web single sign-on standard specification have such a narrow focus.

When writing a modern web application, if architected properly, one certainly would have completely separate notions of visual and non-visual elements. A web solution that isn’t composable isn’t future-proof and is doomed to quick obsolescence. Yes, sure, the web picked up thanks to HTML and HTTP. But the Internet was there long before all that and, we’re surely heading towards an Internet where a lot of chatty stuff isn’t going to surface to a user until at the very last moment, at a final consumption point. Issues such as identification and data access are to be resolved well before anything is ready to be made visual. Authentication and authorisation are not visualisation problems, they are data access concerns. Data can and should be manipulated in a composable manner, until it’s finally rendered. There should never be any assumption about visualisation in the guts of non-visual elements. Visual elements should be calling on the non-visual elements, not the other way around. That’s how, most probably, the Internet Of Things and any great stuff looming in the horizon would be architected. In this context, I don’t get the reasoning behind tying OpenID Connect to things like browser redirects.

So, OpenID Connect rings quite a few good tones, but it didn’t seem ambitious enough for me to fully empower the next generation Internet solutions. In many ways, it looks like a vendor toy that would be great for tool vendors but developers would need to figure out ways to make it even more usable. That’s a shame, a missed opportunity.