1. Martin von Löwis
  2. openid2rp


Peter Troeger  committed f1d7bd0

Added new argument to avoid session re-use. Updated documentation accordingly. Fixed syntax error for claimID determination.

  • Participants
  • Parent commits 4625a6f
  • Branches default

Comments (0)

Files changed (2)

File doc/django.rst

View file
 The Django application can use the following API:
-.. function:: openid2rp_django.auth.preAuthenticate(uri, answer_url, sreg = (('nickname', 'email'), ()), ax = ((openid2rp.AX.email, openid2rp.AX.first, openid2rp.AX.last), ())) -> response
+.. function:: openid2rp_django.auth.preAuthenticate(uri, answer_url, sreg = (('nickname', 'email'), ()), ax = ((openid2rp.AX.email, openid2rp.AX.first, openid2rp.AX.last), ()),reuse_session = True) -> response
 ``uri`` is the OpenID URI input from the user. ``answer_url`` is the
 absolute address of the view that will later call
 information attributes from the authentication provider. Check the
 openid2rp and OpenID documentation for details.
+``reuse_session`` is intended as possibility for the application to
+work around broken OpenID providers. It disables the re-using of
+OpenID sessions for the given claim. If your provider sends an
+'openid.invalidate_handle' parameter in the returning request,
+and the OpenID authentication ends with a session error,
+try to set this to 'False'. Normally, you don't need to touch
+this parameter.
 The result is the ``HttpResponse`` object you should directly
 return from the view code after calling ``preAuthenticate``. It
 contains a 307 redirection to the authentication provider URL, so that

File openid2rp/django/auth.py

View file
 def preAuthenticate(uri, answer_url, 
 					sreg = (('nickname', 'email'), ()),
-					ax = ((openid2rp.AX.email, openid2rp.AX.first, openid2rp.AX.last), ())):
+					ax = ((openid2rp.AX.email, openid2rp.AX.first, openid2rp.AX.last), ()),
+					reuse_session = True):
 	if res != None:
 		services, url, op_local = res
 		# re-use session in order to avoid provider roundtrip here
-		session = getSessionByClaim(claimedId)
+		# some providers (Wordpress) do not like that, and send 'invalidate_handle' then,
+		# which would need another user roundtrip - therefore, the app can switch it off
+		if reuse_session:
+			session = getSessionByClaim(claimedId)
+		else:
+			session = None
 		if not session:
 			session = openid2rp.associate(services, url)
 			storeSession(session, claimedId)
 			if 'identity' not in signed:
 				raise IncompleteAnswerError()
-			claimedId = session.claimedId
+			claimedId = session['claimedId']
 		# look up OpenID claim string in local database