close Warning: Can't synchronize with repository "(default)" (/project/cl-openid/svn does not appear to be a Subversion repository.). Look in the Trac log for more information.

Opened 14 years ago

Closed 13 years ago

#20 closed defect (fixed)

user_setup_url automatic generation

Reported by: avodonosov Owned by: avodonosov
Priority: major Milestone:
Component: code Version: 1.0 portable
Keywords: 1-1-compat Cc:

Description

To be compatible with OpenID Authentication 1.1 the OP should, include field user_setup_url into responses to checkid_immediate requests preformed using the 1.1 vesion of the protocol.

RP may redirect user to this URI where user can complete the authentication (by interacting with the OP web UI, like login form, etc.). After the user interaction with OP is done, the user should be returned to the RP, with positive or negative assertion, the same way it is done for checkid_setup requests.

In the 2.0 version of OpenID Authenctiaction these requirement for OP was replaced by just possibility for RP to perform new authorization request, now in checkid_setup mode, if the checkid_immediate has failed. (it was a good solution, because simplified the OP implementation).

In the current cl-openid implementation we just provided a generic function USER-SETUP-URL which we suggest to programmer using our library to re-implement. The programmer is expected to provide some URL and create a handler for that URL and take care of whatever is needed to redirect the users browser back to RP when necessary. This is very complex task for the programmer.

Instead, cl-openid might just change the request mode from checkid_immediate to checkid_stetup, then generate the OP endpoint URL passing the adjusted request in parameters. If the RP will use this URL, the OP handling will reuse all the checkid_setup logic.

This should work, because the authorization requests sent by RP are not signed, therefore OP may easily adjust the requests.

The relevant spec links:

OpenID Authentication 2.0 - Final 14.2. Implementing OpenID Authentication 1.1 Compatibility http://openid.net/specs/openid-authentication-2_0.html#anchor38

OpenID Authentication 1.1 4.2.3. Extra Notes http://openid.net/specs/openid-authentication-1_1.html#anchor21

Change History (3)

comment:1 Changed 14 years ago by avodonosov

After fixing this ticket the generic function should be removed in it's current form USER-SETUP-URL.

Another small fix is that the user_setup_url handling should *only* be user if the authentication request is of version 1.1.

comment:2 Changed 13 years ago by avodonosov

Owner: set to avodonosov
Status: newassigned

comment:3 Changed 13 years ago by avodonosov

Resolution: fixed
Status: assignedclosed

Fixed: the user_setup_url is generated automatically for the failed immediate authentication requests of OpenID version 1.

The function USER-SETUP-URL is removed from the public API.

Note: See TracTickets for help on using tickets.