[cl-openid-devel] provider API suggestions
Anton Vodonosov
avodonosov at yandex.ru
Sat Sep 13 18:23:03 UTC 2008
Hello Maciej.
I tried to use the provider as if in a real web site
In result I have the following suggestions about
the provider API, so that it will be more
convenient for user.
HANDLE-OPENID-PROVIDER-REQUEST
- always return the second value, HTTP code.
- when result means that redirect must be performed,
always return the URI as a string, to avoid
PRINC-TO-STRING everywere in the code;
- rename SECURE-P to ALLOW-UNENCRYPTED
CANCEL-RESPONSE and SUCCESSFUL-RESPONSE are always
redirects; therefore they may return a single value -
the redirect URI. It must always be a string too.
CANCEL-RESPONSE-URI and CANCEL-RESPONSE-URI will
be more clear names for the functions, both
when studying the library and reading code that uses it.
CANCEL-RESPONCE doc string has an error: it says the
function *sends* a response (in reality it only constructs
a response).
WITH-INDIRECT-ERROR-HANDLER is unnecessary to export
and to mention in the docs. Instead, the library must
catch *any* errors when it calls HANDLE-CHECKID-SETUP
and other user provided functions; not only INDIRECT-ERROR.
I feel the INDIRECT-ERROR and SIGNAL-INDIRECT-ERROR,
are not needed in the public API too. In practice
there were no cases when I needed them. Indirect error
responses are more for malformed requests, and all the
correctness checks are already made by the library.
It is necessary to provide a function to extract
realm from messages, like this:
(defun auth-req-realm (message)
(or (if (not (message-v2-p message))
;; prior to 2.0 "openid.realm"
;; was called "openid.trust_root"
;; see the spec, section 14.2.1
(message-field message "openid.trust_root")
(message-field message "openid.realm"))
;; section 9.1, if "openid.realm" is not
;; specifed, it defaults to "openid.return_to"
(message-field message "openid.return_to")))
The name of the function intends to point that
realm is present only in authentication request
messages.
As a result of the suggested changes, only the
HANDLE-OPENID-PROVIDER-REQUEST will have two-value
return convention. Code to examine its return
value may be written in place. This saves us from
creating separate HUNCHENTOOT-OPENID-RESPONSE (as in
your example) and calling it via MULTIPLE-VALUE-CALL
everywhere.
Best regards,
-Anton
More information about the cl-openid-devel
mailing list