1. Benoit Chesneau
  2. django-authopenid
  3. Issues
Issue #35 resolved

sreg discovery is incorrect

Mikhail Korobov
created an issue

function {{{ask_openid}}} uses
{{{ use_ax, use_sreg = discover_extensions(openid_url) }}}

code to discover if sreg extension is supported.

{{{discover_extension}}} gets info from {{{openid.consumer.discover.discover}}} function.

And that's the problem. {{{openid.consumer.discover.discover}}} doesn't do anything but check if sreg service is listed in XRDF document (or in {{{ <link rel='..'>}}} if document doesn't exist). But listing sreg service in XRDF is not required in specification, it is not even mentioned in sreg specs, neither in 1.0 nor in 1.1 draft (in contrast, it is stated that ax extension SHOULD be in XRDF).

So provider can provide sreg extension and don't list it in XRDF, and it will be entirely standard. Sreg support shouldn't be checked by {{{openid.consumer.discover.discover}}}. I think django_authopenid should try to get info using sreg extension regardless of XRDF.

I face this problem with openid.yandex.ru provider. It has sreg support but doesn't list it in XRDF. I contact them and they say it will be fixed, but they don't violate any specifications and there could be another providers with this behaviour.

Comments (1)

  1. Log in to comment