Opened 13 years ago
Closed 13 years ago
#20 closed defect (fixed)
user_setup_url automatic generation
| Reported by: | avodonosov | Owned by: | avodonosov |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | code | Version: | 1.0 portable |
| Keywords: | 1-1-compat | Cc: |
Description
To be compatible with OpenID Authentication 1.1 the OP should, include field user_setup_url into responses to checkid_immediate requests preformed using the 1.1 vesion of the protocol.
RP may redirect user to this URI where user can complete the authentication (by interacting with the OP web UI, like login form, etc.). After the user interaction with OP is done, the user should be returned to the RP, with positive or negative assertion, the same way it is done for checkid_setup requests.
In the 2.0 version of OpenID Authenctiaction these requirement for OP was replaced by just possibility for RP to perform new authorization request, now in checkid_setup mode, if the checkid_immediate has failed. (it was a good solution, because simplified the OP implementation).
In the current cl-openid implementation we just provided a generic function USER-SETUP-URL which we suggest to programmer using our library to re-implement. The programmer is expected to provide some URL and create a handler for that URL and take care of whatever is needed to redirect the users browser back to RP when necessary. This is very complex task for the programmer.
Instead, cl-openid might just change the request mode from checkid_immediate to checkid_stetup, then generate the OP endpoint URL passing the adjusted request in parameters. If the RP will use this URL, the OP handling will reuse all the checkid_setup logic.
This should work, because the authorization requests sent by RP are not signed, therefore OP may easily adjust the requests.
The relevant spec links:
OpenID Authentication 2.0 - Final 14.2. Implementing OpenID Authentication 1.1 Compatibility http://openid.net/specs/openid-authentication-2_0.html#anchor38
OpenID Authentication 1.1 4.2.3. Extra Notes http://openid.net/specs/openid-authentication-1_1.html#anchor21
Change History (3)
comment:1 Changed 13 years ago by
comment:2 Changed 13 years ago by
| Owner: | set to avodonosov |
|---|---|
| Status: | new → assigned |
comment:3 Changed 13 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed: the user_setup_url is generated automatically for the failed immediate authentication requests of OpenID version 1.
The function USER-SETUP-URL is removed from the public API.
After fixing this ticket the generic function should be removed in it's current form USER-SETUP-URL.
Another small fix is that the user_setup_url handling should *only* be user if the authentication request is of version 1.1.