From avodonosov at yandex.ru Mon Aug 15 22:13:29 2011 From: avodonosov at yandex.ru (Anton Vodonosov) Date: Tue, 16 Aug 2011 02:13:29 +0400 Subject: [cl-openid-devel] cl-openid API changes, preparing to release 1.0.0 Message-ID: <908061313446409@web82.yandex.ru> Hello. I finally implemented the API simplifications I wanted since the cl-openid Release Candidate we made in the past (it's mostly provider API changes). There is also a security related fix for the ticket #14 - we now use secure random numbers, instead of CL:RANDOM function. To compile it you will need fresh cl+ssl (available in Quicklisp). I think it's time for Release 1.0.0. Below is the list of changes. The adjustments in the user code will be quite trivial, but if you need help, you are welcome to ask here, in the mailing list. --------- The changes --------- Important change: Fixed ticket #14 secure random number generation. API changes: - The URI returned from INITIATE-AUTHENTICATION is of type string, instead of a PURI:URI. This saves the user one PRINC-TO-STRING in his code. - Provider generic function USER-SETUP-URL is removed from the public API. It is a function intended for OpenID 1.1. compatibility. Previously user needed to implement it, but now all the necessary handling is done automatically. (See ticket #14 for the details) - HANDLE-OPENID-PROVIDER-REQUEST always returns the second value, an HTTP code. When the HTTP code is redirect (3xx), the first value URI is returned as a string, instead of a PURI:URI object. This saves user from doing PRINC-TO-STRING for the URI. - CANCEL-RESPONSE and SUCCESSFUL-RESPONSE are renamed to CANCEL-RESPONSE-URI and SUCCESSFUL-RESPONSE-URI. Both functions return only single value - the URI (no sense to return the HTTP status code as the second value, as this is always recirect). The URI is returned as a string instead of PURI:URI instance (this saves the user one PRINC-TO-STRING in his code). - In result of the above change, you need explicitly provide the second return value from the HANDLE-CHECKID-SETUP you implement for you OpenID provider. - Removed WITH-INDIRECT-ERROR-HANDLER and SIGNAL-INDIRECT-ERROR from the public API. - Introduced new public function AUTH-REQUEST-REALM with returns the realm of the OpenID authentication request message (this function is needed if you implement an OpenID provider). - The HANDLE-OPENID-PROVIDER-REQUEST keyword parameter SECURE-P is renamed to ALLOW-UNENCRYPTED-ASSOCIATION-P. Full list of the tickets closed: #14 secure random number generation #16 unit test error: make-auth-proc #17 signal an error if discovery discovers nothing #18 LiveJournal error reponse with HTTP status 200 #19 some polishment of the provider API #20 user_setup_url automatic generation #21 INITIATE-AUTHENTICATION: return the URI as a string #22 adjust the exampels to hunchentoot 1.1. Best regards, - Anton