Commits

Anonymous committed 00871c5

Cache discovered OP endpoint URL to avoid repeating discovery when verifying assertions. When verifying assertions, OP endpoint URL is used to get an association if one is stored, and to perform direct verification otherwise.

  • Participants
  • Parent commits 22382ce

Comments (0)

Files changed (1)

openid2rp/testapp.py

     ('Launchpad', 'https://login.launchpad.net/favicon.ico', 'https://login.launchpad.net/')
     )
              
+# Mapping from Claimed Identifier to OP Endpoint URL.  Always updated on
+# initiation (end user enters User-Supplied Identifier) and used to avoid
+# repeating discovery when verifying assertions.  When verifying assertions, OP
+# Endpoint URL is used to get an association if one is stored, and to perform
+# Direct Verification otherwise
+disco = {}
+
 # Mapping from OP Endpoint URL and association handle to association response
 sessions = {}
 
                 if res is None:
                     return self.error('Discovery failed')
                 services, url, op_local = res
+
+                # Avoid repeating discovery when verifying assertions
+                disco[claimed] = url
+
                 try:
                     session = associate(services, url)
                 except ValueError, e:
                 except ValueError:
                     no_fragment = claimed_id
 
-                _, op_endpoint, _ = discover(no_fragment)
+                # If the Claimed Identifier is included in the assertion, it
+                # MUST have been discovered by the RP and the information in
+                # the assertion MUST be present in the discovered information.
+                # The Claimed Identifier MUST NOT be an OP Identifier
+                #
+                # If the Claimed Identifier was not previously discovered by
+                # the RP (the "openid.identity" in the request was
+                # "http://specs.openid.net/auth/2.0/identifier_select" or a
+                # different Identifier, or if the OP is sending an unsolicited
+                # positive assertion), the RP MUST perform discovery on the
+                # Claimed Identifier in the response to make sure that the OP
+                # is authorized to make assertions about the Claimed Identifier
+                try:
+                    op_endpoint = disco[no_fragment]
+                except KeyError:
+                    _, op_endpoint, _ = discover(no_fragment)
 
                 # If the RP has stored an association with the association
                 # handle specified in the assertion, it MUST check the