[cl-openid-devel] What happens after verification?
Anton Vodonosov
avodonosov at yandex.ru
Sat Jul 19 14:43:35 UTC 2008
on Saturday, July 19, 2008, 5:11:06 PM Leslie wrote:
> Suppose I'm a relying party and send a HANDLE-OPENID-REQUEST
> to the appropriate provider. This function returns an URI
> which I'm going to redirect the user to.
> The user authenticates himself.
> What happens then?
> I know that I can specify a return URI (which possibly contains
> some secret key that maps to the login process), but isn't
> CL-OPENID supposed to take care of this?
> Thanks!
> Leslie
After user authenticated himself at the provider,
the provider returns Redirect status to user's browser.
Redirect is performed to the return URI you specified.
The provider also ads parameters to the return URI.
These parameters specify whether authentication was successful.
So, relying party receives new HTTP request from the redirected
user browser. This is called "indirect reply" from provider.
You need to pass the request parameters to the HANDLE-INDIRECT-REPLY
function. This function takes care of interpreting the parameters
meaning and also verifying that the reply was really from the
provider, by verifying digital signature.
Best regards,
-Anton
More information about the cl-openid-devel
mailing list