[cl-openid-ticket] [cl-openid] #20: user_setup_url automatic generation

cl-openid cl-openid-devel at common-lisp.net
Sat Jun 11 22:49:27 UTC 2011 

#20: user_setup_url automatic generation
------------------------+---------------------------------------------------
 Reporter:  avodonosov  |       Owner:              
     Type:  defect      |      Status:  new         
 Priority:  major       |   Milestone:              
Component:  code        |     Version:  1.0 portable
 Keywords:  1-1-compat  |  
------------------------+---------------------------------------------------
 To be compatible with OpenID Authentication 1.1 the OP should, include
 field user_setup_url into responses to checkid_immediate requests
 preformed using the 1.1 vesion of the protocol.

 RP may redirect user to this URI where user can complete the
 authentication (by interacting with the OP web UI, like login form, etc.).
 After the user interaction with OP is done, the user should be returned to
 the RP, with positive or negative assertion, the same way it is done for
 checkid_setup requests.

 In the 2.0 version of OpenID Authenctiaction these requirement for OP was
 replaced by just possibility for RP to perform new authorization request,
 now in checkid_setup mode, if the checkid_immediate has failed. (it was a
 good solution, because simplified the OP implementation).

 In the current cl-openid implementation we just provided a generic
 function USER-SETUP-URL which we suggest to programmer using our library
 to re-implement. The programmer is expected to provide some URL and create
 a handler for that URL and take care of whatever is needed to redirect the
 users browser back to RP when necessary. This is very complex task for the
 programmer.

 Instead, cl-openid might just change the request mode from
 checkid_immediate to checkid_stetup, then generate the OP endpoint URL
 passing the adjusted request in parameters. If the RP will use this URL,
 the OP handling will reuse all the checkid_setup logic.

 This should work, because the authorization requests sent by RP are not
 signed, therefore OP may easily adjust the requests.

 The relevant spec links:

 OpenID Authentication 2.0 - Final
 14.2.  Implementing OpenID Authentication 1.1 Compatibility
 http://openid.net/specs/openid-authentication-2_0.html#anchor38

 OpenID Authentication 1.1
 4.2.3. Extra Notes
 http://openid.net/specs/openid-authentication-1_1.html#anchor21

-- 
Ticket URL: <http://trac.common-lisp.net/cl-openid/ticket/20>
cl-openid <http://common-lisp.net/project/cl-openid>
cl-openid

More information about the cl-openid-ticket mailing list