Commits

Anonymous committed 1300f50

Add support for verifying the signature of the assertion via direct verification.

Comments (0)

Files changed (1)

openid2rp/__init__.py

     else:
         return url+"?"+urllib.urlencode(data)
 
+# 11.4.2 Verifying Directly with the OpenID Provider
+def verify_signature_directly(response):
+    '''Request that the OP verify the signature via Direct Verification.'''
+
+    op_endpoint, = response['openid.op_endpoint']
+    request = [('openid.mode', 'check_authentication')]
+    # Exact copies of all fields from the authentication response, except for
+    # "openid.mode"
+    request.extend((k, v) for k, (v,) in response.items() if 'openid.mode' != k)
+    res = urllib.urlopen(op_endpoint, urllib.urlencode(request))
+    if 200 != res.getcode():
+        raise ValueError, 'OP refuses connection with status %d' % res.getcode()
+    response = parse_response(res.read())
+    if 'true' != response['is_valid']:
+        raise ValueError, 'OP doesn\'t assert that the signature of the verification request is valid.'
+
 class NotAuthenticated(Exception):
     pass