[Moin-user] Moin's OpenID support and identifier_select
Paul Boddie
paul at boddie.org.uk
Tue Mar 8 19:12:14 EST 2011
Hello,
I've been trying to make sure that I haven't been breaking OpenID in Moin
while applying some patches, and I noticed that putting more than one
provider in openidrp_allowed_op puts Moin into the "identifier select" mode
of authentication where the following occurs:
1. The relying party or RP (in this case, Moin offering an OpenID "login")
shows a list of providers of the form http://example.com/ (rather than
specific identifiers like http://me.example.com/).
2. The RP does discovery using the selected provider, finds out where the
OpenID provider endpoint is.
3. The RP, indicating an association handle for future use, redirects the
end-user to the provider endpoint and lets them authorise the authentication
request.
4. The provider redirects the end-user back to the RP using a specially formed
URL which includes the OpenID provider endpoint and the association handle
which should have been provided in step 3.
5. The RP attempts to verify the details provided.
Here's the problem: when the provider is another Moin instance, the OpenID
endpoint mentioned in the specially formed URL is different from the one that
was mentioned in discovery. Since the OpenID library (python-openid)
concerned uses the endpoint together with the association handle when
preparing the request in step 3, it cannot verify the details from step 4
using a new endpoint returned by Moin-as-provider.
So, I'm trying to find out whether anyone uses Moin in this way. I'm also
trying to figure out whether returning a different endpoint is a valid thing
to do and/or whether using an initial endpoint to record authentication state
is sensible, although that's more of an issue for the python-openid
maintainers, I would imagine.
Does anyone have any ideas or experiences with this?
Paul
More information about the Moin-user
mailing list