[Code] Changing host of OP, retain claimed_id

Jason Young jason.young at extension.org
Wed Jul 8 15:55:29 UTC 2009 

Hi folks,
I'm running into a devil of a problem with my OP, that I can't seem to get
solved and straight.

Background:
I run a OP for cooperative extension personnel across the country.  Most of
our use is for white-listed directed identity login for internal hosts.  But
we do have some land-grants that have implemented RP's using our OpenID -
and our moodle provider that's using a hacked-up directed mode.

Our host, people.extension.org is using a somewhat modified ruby
server implementation
 (it has some bugs in IDP xrds discovery that I've fixed).  We are in the
process of merging way too many different Rails applications into one - and
the short of it is, I am going to be trying to redirect requests from
https://people.extension.org/[person's_id_string]<https://people.extension.org/%5Bperson's_id_string%5D>to
https://www.extension.org/people/[person's_id_string]<https://www.extension.org/people/%5Bperson's_id_string%5D>
-
but still trying to maintain the use of
https://people.extension.org/[person's_id_string]<https://people.extension.org/%5Bperson's_id_string%5D>as
the claimed_id.

Current situation
Minus the SSL part for now, and using demo hosts (people.demo.extension.organd
pubsitedev.extension.org)  I can happily redirect all day long - but only if
I return http://pubsitedev.extension.org/people/[person's_id_string]<http://pubsitedev.extension.org/people/%5Bperson's_id_string%5D>as
the claimed_id - which I could get away with with the internal hosts,
but
the third parties need to have
https://people.extension.org/[person's_id_string]<https://people.extension.org/%5Bperson's_id_string%5D>
(or
http://people.demo.extension.org/[person's_id_string]<http://people.demo.extension.org/%5Bperson's_id_string%5D>for
this demo case)

I've followed the appendix examples - my XRDS includes
http://pubsitedev.extension.org/people/[person's_id_string]<http://pubsitedev.extension.org/people/%5Bperson's_id_string%5D>as
the LocalID.  The endpoints are right.  My request.answer has

 identity = http://pubsitedev.extension.org/people/[person's_id_string]<http://pubsitedev.extension.org/people/%5Bperson's_id_string%5D>

and

claimed.id = http://people.demo.extension.org/[person's_id_string]<http://people.demo.extension.org/%5Bperson's_id_string%5D>

The problem appears that during the followup discovery done when those are
different, that during the Yadis discovery, it picks up the target URL of
the XRDS document.   That is - when at the Apache level, I redirect:

    RewriteCond %{HTTP_HOST}   ^people\.demo\.extension\.org [NC]
    RewriteRule ^/(.*)
http://pubsitedev.extension.org/people/$1[L,R=permanent]

In discovery, when it goes and gets the service endpoint's claimed_id it
appears to pick it up from the 'yadis_url' - that is the URL of the end
target of discovery done on the claimed_id.   So when I redirect
http://people.demo.extension.org/[person's_id_string]<http://people.demo.extension.org/%5Bperson's_id_string%5D>
 to http://pubsitedev.extension.org/people/[person's_id_string]<http://pubsitedev.extension.org/people/%5Bperson's_id_string%5D>
 -
it picks up the pubsitedev URL as the claimed_id - which fails the
comparison (PHP consumer)

        if ($defragged_claimed_id != $endpoint->claimed_id) {
            return new Auth_OpenID_FailureResponse($endpoint,
              sprintf('Claimed ID does not match (different subjects!), ' .
                      'Expected %s, got %s', $defragged_claimed_id,
                      $endpoint->claimed_id));


Sooo....   I'm guessing there's no good way around this?   I eventually need
to get these to transition, and the redirects seemed to be the best way to
make that happen   - but there seems to be no good way to push everything to
the new host, maintain all the "user-visible" portions of this (the user's
openid endpoint serves double duty as a profile page:  e.g.
https://people.extension.org/jayoung )  and then make sure that RP's have
the original claimed_id.

Or am I completely missing something here that I could be doing to pull this
off?   I've gone through the spec, and I've gone through the code, and even
broken out wireshark - but very admittedly, I'm backing into this a bit as
someone that just wants to use the API and have it "just work" ;-)

At the moment, I'm looking at having to figure out some way to possibly not
rewrite discovery requests, but rewrite everything else.  Or just run the
application with a Proxy redirect (or run two copies at two different
vhosts).

I'm assuming someone else here has done similar as they figured out they
wanted different OpenID identifiers - what did you do?

Jason
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jason Young --  Systems Manager, eXtension
http://about.extension.org/wiki/Jason_Young
______________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-code/attachments/20090708/86626471/attachment.htm>

More information about the Code mailing list