[Code] Python library only supports assertions sent as GET (not POST)
Yang Zhao
yang at yangman.ca
Thu Nov 17 18:23:08 UTC 2011
Hi Jack,
I haven't had the time to really dig through the library code, but I'm
still unconvinced the changes you're proposing is correct.
On 11 November 2011 15:03, Jack Bates <d8526k at nottheoilrig.com> wrote:
> The problem is that _verifyReturnToArgs() actually checks the first argument
> (the assertion) against openid.return_to. It should instead check the second
> argument (the URL of the request the RP received) against openid.return_to, as
> the docstring says, and as required by the specification:
_verifyReturnToArgs() is an internal step which performs _message_
validation, in respect to signature, etc, and should not care what URL
was passed to consumer.complete(). That verification step happens at
the end of _checkReturnTo(). I hope this isn't a misunderstanding of
your original intent.
Do you have a sample provider that I can run through my testing tool
to see if this is indeed a protocol break?
--
Yang Zhao
http://yangman.ca
More information about the Code
mailing list