[Code] Python library only supports assertions sent as GET (not POST)

Jack Bates d8526k at nottheoilrig.com
Fri Nov 11 23:03:24 UTC 2011 

On Wed, Oct 26, 2011 at 10:13:19AM -0700, Yang Zhao wrote:
> Hi Jack,
> 
> On 20 October 2011 11:36, Jack Bates <d8526k at nottheoilrig.com> wrote:
> > ...However the Python library doesn't support assertions which are sent as
> > a POST - it only supports assertions which are sent as a GET. Consequently the
> > Python library fails to interoperate with some OpenID providers which
> > nonetheless conform to the OpenID specification
> 
> IIRC, the library leaves HTTP parsing to the the callee.  It's not
> immediately clear to me why there would be a POST vs GET issue,
> although I'll admit that I've not looked at the patch in its full
> context.

Calling code calls consumer.complete() with two arguments:

        @param query: A dictionary of the query parameters for this
            HTTP request.

        @param current_url: The URL used to invoke the application.
            Extract the URL from your application's web
            request framework and specify it here to have it checked
            against the openid.return_to value in the response.  If
            the return_to URL check fails, the status of the
            completion will be FAILURE.

The problem is that _verifyReturnToArgs() actually checks the first argument
(the assertion) against openid.return_to. It should instead check the second
argument (the URL of the request the RP received) against openid.return_to, as
the docstring says, and as required by the specification:

> Any query parameters that are present in the "openid.return_to" URL MUST also
> be present with the same values in the URL of the HTTP request the RP
> received

If assertions are sent as a GET, then the first argument (the assertion) is
identical to the query data in the second argument (the URL of the request the
RP received), so this bug is not exposed in this case

But if assertions are sent as a POST, then the first argument (the assertion)
is the POST data, which *is not* identitcal to the query data in the second
argument. _verifyReturnToArgs() incorrectly checks the first argument against
openid.return_to, and so rejects valid assertions and fails to interoperate
with providers that send assertions as a POST

This pull request fixes _verifyReturnToArgs() to check the second argument (the
URL of the request the RP received) against openid.return_to, as the docstring
says, and as required by the specification:

https://github.com/openid/python-openid/pull/25

Are there any objections to the change introduced by this pull request? I am
keen to address them!

More information about the Code mailing list