[cl-openid-devel] What happens after verification?

Maciek Pasternacki maciej at pasternacki.net
Sun Jul 20 17:28:33 UTC 2008


On Sun, 2008-07-20 at 19:44 +0300, Anton Vodonosov wrote:
> > Update (I forgot to add this): I used URI postfix instead of GET
> > parameters because OpenID spec is not clear on how the OPs should treat
> > existing GET parameters in incoming "openid.return_to" fields.  The GET
> > parameters might get lost or mangled, and the postfix is part of URI
> > path, so it will stay untouched.
> 
> IMHO the spec allows it, in the 9.1. Request Parameters:
> 
> "Note: The return_to URL MAY be used as a mechanism for
> the Relying Party to attach context about the authentication
> request to the authentication response. This document does not
> define a mechanism by which the RP can ensure that query parameters
> are not modified by outside parties; such a mechanism can be defined
> by the RP itself."

Yes, but it also implies that this method may be fragile.  URI postfix
seems to be more robust.

> Example when programmer may want to add query parameters another
> than authentication transaction ID:
> 1. user (guest) tries to access a page requiring authentication.
> 2. he is redirected to login page.
> 3. openid authentication is performed
> 4. the page user wanted to access initially (from the step 1)
>    is displayed.
> 
> Programmer may want to pull the URL of the initial page through
> all the process using query parameters (although is possible
> to store it on the server, as we store openid auth. sessions).

I thought initially about keeping such information in ID object, but it
is unRESTful and keeps too much burden on the server.  I just added the
ADD-POSTFIX-TO-URI function, which keeps the query part and adds
trailing slash if the base URI doesn't end with one, and use it to get
the final return_to URI.

-- 
-><- Maciej 'japhy' Pasternacki -><- http://www.pasternacki.net/ -><-




More information about the cl-openid-devel mailing list