[cl-openid-devel] What happens after verification?
Anton Vodonosov
avodonosov at yandex.ru
Sun Jul 20 16:44:51 UTC 2008
on Sunday, July 20, 2008, 7:15:01 PM Maciek wrote:
>
> Update (I forgot to add this): I used URI postfix instead of GET
> parameters because OpenID spec is not clear on how the OPs should treat
> existing GET parameters in incoming "openid.return_to" fields. The GET
> parameters might get lost or mangled, and the postfix is part of URI
> path, so it will stay untouched.
IMHO the spec allows it, in the 9.1. Request Parameters:
"Note: The return_to URL MAY be used as a mechanism for
the Relying Party to attach context about the authentication
request to the authentication response. This document does not
define a mechanism by which the RP can ensure that query parameters
are not modified by outside parties; such a mechanism can be defined
by the RP itself."
I understand it as request parameters are allowed. But URI postfix
is OK as well.
Anyway, I agree that HANDLE-OPENID-REQUEST must serve mostly as
example and programmer will use more low-level functions.
Example when programmer may want to add query parameters another
than authentication transaction ID:
1. user (guest) tries to access a page requiring authentication.
2. he is redirected to login page.
3. openid authentication is performed
4. the page user wanted to access initially (from the step 1)
is displayed.
Programmer may want to pull the URL of the initial page through
all the process using query parameters (although is possible
to store it on the server, as we store openid auth. sessions).
- Anton
More information about the cl-openid-devel
mailing list