[Python-Dev] Python wiki

"Martin v. Löwis" martin at v.loewis.de
Mon Sep 27 06:10:39 CEST 2010

> No, Martin really meant "not possible": once basic auth is started,
> the browser prompts for username and password and you are in basic-auth
> land thereafter; the web server has *no way* to tell the browser to
> *stop* using basic auth.

Yes, but Scott proposed that OpenID users might fill in their OpenID
in the username field and leave the password field empty. Technically,
this would work - the browser would then get the OpenID redirect in
response to the original request.

>> imagine that only "ultra geeks" know their URIs (I have no idea what the
>> URI for a Google account is). But, I don't see this as being worthwhile
> Well, my OpenId is 'david.bitdance.com', so even if you could get around
> the basic auth problem, looking for "http://" wouldn't work.

Sure - however, it would actually be possible to determine that this is
an OpenID: perform discovery on it. If that succeeds, try to establish
a provider association; if that also succeeds, redirect the user to the
OpenID login process.

However, I'd rather not do that, since OpenID users don't expect that
kind of interface.

Providing OpenID links on the login failure 401 response is reasonable,


More information about the Python-Dev mailing list