[Code] Python library only supports assertions sent as GET (not POST)
Jack Bates
d8526k at nottheoilrig.com
Thu Nov 17 23:42:58 UTC 2011
On Thu, Nov 17, 2011 at 10:23:08AM -0800, Yang Zhao wrote:
> On 11 November 2011 15:03, Jack Bates <d8526k at nottheoilrig.com> wrote:
> > The problem is that _verifyReturnToArgs() actually checks the first argument
> > (the assertion) against openid.return_to. It should instead check the second
> > argument (the URL of the request the RP received) against openid.return_to, as
> > the docstring says, and as required by the specification:
>
> _verifyReturnToArgs() is an internal step which performs _message_
> validation, in respect to signature, etc, and should not care what URL
> was passed to consumer.complete(). That verification step happens at
> the end of _checkReturnTo(). I hope this isn't a misunderstanding of
> your original intent.
Specification section 11.1 says:
> Any query parameters that are present in the "openid.return_to" URL MUST also
> be present with the same values in the URL of the HTTP request the RP
> received
e.g. an assertion with:
openid.return_to=http://example.com/return?egparam=egvalue
- is valid if sent to http://example.com/return?egparam=egvalue but invalid if
sent to http://example.com/return or http://example.com/return?egparam=bogus
In the Python OpenID library, this is implemented by _verifyReturnToArgs(). How
can this be implemented without the URL of the HTTP request the RP received,
which is the URL passed to consumer.complete()?
More information about the Code
mailing list