Files changed (30)
+``repoze.who.plugins.openid`` is a plugin for the `repoze.who framework <http://static.repoze.org/whodocs/>`_
+For more information read the `documentation <http://quantumcore.org/docs/repoze.who.plugins.openid>`_
+``repoze.who`` consists of several plugins which work together during the OpenID authentication sequence in the following way:
+ 4. The ``IChallenge`` plugin checks for the 401 and redirects the user to the URL defined in ``login_form_url``
+ 5. The user enters an OpenID into the login form and submits it. The URL given in the configuration option ``login_handler_url`` is POSTed to.
+ 6. The ``IIdentification`` plugin detects the URL given and checks if an openid is present in the POST data. If this is the case it copies the openid into the WSGI environment so that it's read later by the ``IChallenge`` plugin (which is called after the application has done it's part, which in this case is probably returning a ``404`` error because you don't need to implement the login handler as it's handled then by the challenge plugin)
+ 7. On egress with that ``404`` error the ``IChallengeDecider`` checks this time if an OpenID is present in the WSGI environment. If this is the case it will allow the ``IChallenge`` plugin to run
+ 8. The ``IChallenge`` plugin checks if the URL given in ``login_handler_path`` is active and if an OpenID is present in the environment. If this is the case it will start the OpenID discovery process using the Python OpenID library. It will return a WSGI application which will redirect the user to the OpenID provider.
+ 9. Coming back from the OpenID provider the user calls the URL given in ``login_handler_path`` again because this was the URL the plugin gave to the provider to redirect back to. The ``IIdentification`` plugin is called again on ingress and it checks again the URL to be correct and the result of the OpenID authentication (using the library). If everything was ok it stores the authenticated OpenID in the identity dict as ``repoze.who.plugins.openid.userid``. This is additionally remembered via the plugin given in the configuration option ``rememberer_name`` (usually this is ``auth_tkt``)
+ 10. The ``IAuthenticate`` plugin is called next and converts the found openid into a userid which is returned (``None`` means that no authentication took place). The dummy authenticator shipped with this plugin will simply copy the openid over as userid. Usually you should write your own plugin which might do some database lookup to find the correct user.
+.. repoze.who openid plugin documentation master file, created by sphinx-quickstart on Sat Nov 1 11:43:55 2008.
+ ``came_from_field`` defines in which field in a request coming from the login form the URL is stored to which to redirect after successful authentication. The default is ``came_from``.
+ This directive defines in which field in the WSGI environment OpenID errors will be written should they occur. The default is ``error``.
+ OpenIDs requires a session for the whole login process (basically from sending the user to the OpenID provider to the provider redirecting back and checking the result). The default is to use a cookie internally.
+ This directive defines under which path the login page is to be found. This needs to be configured so the challenge plugin can redirect to it.
+ The login page is supposed to ask the user for the OpenID to be used to login which then is supposed to be stored in a field named as configured with ``openid_field``.
+ to know when an OpenID authentication process is active as the OpenID provider will redirect back to this URL. The plugin will then intercept this
+to really start it. Usually this needs to be done if an OpenID is present in the request. Per default the challenger is only called for ``Unauthorized`` responses from the application. In order to also trigger it for requests containing the field defined in ``openid_field`` you also have to configure a different Challengde Decider in your ``who.ini``::
+ identity['repoze.whoplugins.openid.openid'] = environ['repoze.whoplugins.openid.openid'] = open_id
+ environ['repoze.who.logger'].info('authenticated : %s ' %identity['repoze.who.plugins.openid.userid'])