[Code] Python library only supports assertions sent as GET (not POST)
Yang Zhao
yang at yangman.ca
Thu Nov 17 23:53:46 UTC 2011
On 17 November 2011 15:42, Jack Bates <d8526k at nottheoilrig.com> wrote:
>> Any query parameters that are present in the "openid.return_to" URL MUST also
>> be present with the same values in the URL of the HTTP request the RP
>> received
>
> e.g. an assertion with:
>
> openid.return_to=http://example.com/return?egparam=egvalue
>
> - is valid if sent to http://example.com/return?egparam=egvalue but invalid if
> sent to http://example.com/return or http://example.com/return?egparam=bogus
>
> In the Python OpenID library, this is implemented by _verifyReturnToArgs().
This is not the case.
The URL verification you're referring to happens in
consumer._checkReturnTo(), starting at line 671.
consumer._verifyReturnToArgs(), afaict, checks that:
1) openid.return_to is present in the response
2) it is the same URL sent in the authentication request message
3) it is accounted for in the message signing signature
--
Yang Zhao
http://yangman.ca
More information about the Code
mailing list