Commits

Anonymous committed 22382ce

Extend demo app to demonstrate direct verification. Use discovered OP endpoint URL to perform direct verification.

Comments (0)

Files changed (2)

openid2rp/__init__.py

         return url+"?"+urllib.urlencode(data)
 
 # 11.4.2 Verifying Directly with the OpenID Provider
-def verify_signature_directly(response):
-    '''Request that the OP verify the signature via Direct Verification.'''
+def verify_signature_directly(op_endpoint, response):
+    '''Request that the OP verify the signature via Direct Verification'''
 
-    op_endpoint, = response['openid.op_endpoint']
     request = [('openid.mode', 'check_authentication')]
     # Exact copies of all fields from the authentication response, except for
     # "openid.mode"
     request.extend((k, v) for k, (v,) in response.items() if 'openid.mode' != k)
     res = urllib.urlopen(op_endpoint, urllib.urlencode(request))
     if 200 != res.getcode():
-        raise ValueError, 'OP refuses connection with status %d' % res.getcode()
+        raise ValueError('OP refuses connection with status %d' % res.getcode())
     response = parse_response(res.read())
     if 'true' != response['is_valid']:
-        raise ValueError, 'OP doesn\'t assert that the signature of the verification request is valid.'
+        raise ValueError('OP doesn\'t assert that the signature of the verification request is valid')
 
 class NotAuthenticated(Exception):
     pass

openid2rp/testapp.py

                     no_fragment = claimed_id
 
                 _, op_endpoint, _ = discover(no_fragment)
+
+                # If the RP has stored an association with the association
+                # handle specified in the assertion, it MUST check the
+                # signature on the assertion itself.  If it does not have an
+                # association stored, it MUST request that the OP verify the
+                # signature via Direct Verification
                 handle = query['openid.assoc_handle'][0]
                 try:
                     session = sessions[op_endpoint, handle]
                 except KeyError:
-                    return self.error('Not authenticated (no session)')
-                try:
-                    signed = authenticate(session, querystring)
-                except Exception, e:
-                    self.error("Authentication failed: "+repr(e))
-                    return
+                    try:
+                        verify_signature_directly(op_endpoint, query)
+                    except Exception, e:
+                        return self.error('Authentication failed: '+repr(e))
+                    signed, = query['openid.signed']
+                    signed = signed.split(',')
+                else:
+                    try:
+                        signed = authenticate(session, querystring)
+                    except Exception, e:
+                        return self.error('Authentication failed: '+repr(e))
+
                 if 'openid.claimed_id' in query:
                     if 'claimed_id' not in signed:
                         return self.error('Incomplete signature')