[Moin-user] Moin's OpenID support and identifier_select

[Paul Boddie]

Hello,

I've been trying to make sure that I haven't been breaking OpenID in Moin 
while applying some patches, and I noticed that putting more than one 
provider in openidrp_allowed_op puts Moin into the "identifier select" mode 
of authentication where the following occurs:

1. The relying party or RP (in this case, Moin offering an OpenID "login") 
shows a list of providers of the form http://example.com/ (rather than 
specific identifiers like http://me.example.com/).

2. The RP does discovery using the selected provider, finds out where the 
OpenID provider endpoint is.

3. The RP, indicating an association handle for future use, redirects the 
end-user to the provider endpoint and lets them authorise the authentication 
request.

4. The provider redirects the end-user back to the RP using a specially formed 
URL which includes the OpenID provider endpoint and the association handle 
which should have been provided in step 3.

5. The RP attempts to verify the details provided.

Here's the problem: when the provider is another Moin instance, the OpenID 
endpoint mentioned in the specially formed URL is different from the one that 
was mentioned in discovery. Since the OpenID library (python-openid) 
concerned uses the endpoint together with the association handle when 
preparing the request in step 3, it cannot verify the details from step 4 
using a new endpoint returned by Moin-as-provider.

So, I'm trying to find out whether anyone uses Moin in this way. I'm also 
trying to figure out whether returning a different endpoint is a valid thing 
to do and/or whether using an initial endpoint to record authentication state 
is sensible, although that's more of an issue for the python-openid 
maintainers, I would imagine.

Does anyone have any ideas or experiences with this?

Paul