Anonymous avatar Anonymous committed cb7b531

Add 1.1 compatibility: RP MUST keep track of what claimed identifier was used to discover the OP-local identifier, for example by keeping it in session state.

Comments (0)

Files changed (1)

openid2rp/testapp.py

 #!/usr/bin/env python
 ################ Test Server #################################
-import BaseHTTPServer, cgi
+import BaseHTTPServer, cgi, Cookie
 from openid2rp import *
 
 # supported providers
                                  (services, url, session['assoc_handle'],
                                   self.base_url+"?returned=1",
                                   claimed, op_local))
+
+                # 1.1 compatibility: openid.claimed_id" is not defined by
+                # OpenID Authentication 1.1.  RPs MAY send the value when
+                # making requests, but MUST NOT depend on the value being
+                # present in authentication responses.  When the OP-Local
+                # Identifier ("openid.identity") is different from the Claimed
+                # Identifier, the RP MUST keep track of what Claimed Identifier
+                # was used to discover the OP-Local Identifier, for example by
+                # keeping it in session state.  Although the Claimed Identifier
+                # will not be present in the response, it MUST be used as the
+                # identifier for the user
+                self.send_header('Set-Cookie', 'openid.claimed_id='+claimed)
+
                 self.end_headers()
                 return                
             if 'returned' in query:
                 if query['openid.mode'][0] == 'cancel':
                     return self.write('Login failed', 'text/plain')
 
-                # If no Claimed Identifier is present in the response, the
-                # assertion is not about an identifier
                 try:
                     claimed_id, = query['openid.claimed_id']
                 except KeyError:
-                    return self.error('Assertion is not about an identifier')
+                    no_fragment = claimed_id = Cookie.SimpleCookie(self.headers['Cookie'])['openid.claimed_id'].value
+                else:
 
-                # If the Claimed Identifier in the assertion is a URL and
-                # contains a fragment, the fragment part and the fragment
-                # delimiter character "#" MUST NOT be used for the purposes of
-                # verifying the discovered information
-                try:
-                    no_fragment = claimed_id[:claimed_id.index('#')]
-                except ValueError:
-                    no_fragment = claimed_id
+                    # If the Claimed Identifier in the assertion is a URL and
+                    # contains a fragment, the fragment part and the fragment
+                    # delimiter character "#" MUST NOT be used for the purposes
+                    # of verifying the discovered information
+                    try:
+                        no_fragment = claimed_id[:claimed_id.index('#')]
+                    except ValueError:
+                        no_fragment = claimed_id
 
                 # If the Claimed Identifier is included in the assertion, it
                 # MUST have been discovered by the RP and the information in
                     except Exception, e:
                         return self.error('Authentication failed: '+repr(e))
 
-                if 'openid.claimed_id' in query:
-                    if 'claimed_id' not in signed:
-                        return self.error('Incomplete signature')
-                    claimed = query['openid.claimed_id'][0]
-                else:
-                    # OpenID 1, claimed ID not reported - should set cookie
-                    if 'identity' not in signed:
-                        return self.error('Incomplete signature')
-                    claimed = query['openid.identity'][0]
-                payload = "Hello "+claimed+"\n"
+                payload = "Hello "+claimed_id+"\n"
                 ax = get_ax(querystring, get_namespaces(querystring), signed)
                 sreg = get_sreg(querystring, signed)
                 email = get_email(querystring)
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.