[Code] How to distinguish, server-side, direct request from an indirect request?
Michał Górny
mgorny at gentoo.org
Mon Jun 24 13:18:37 UTC 2013
Hello,
I'm implementing an OpenID provider server and looking throughout the
OpenID Auth 2.0 spec, I can't find how to properly distinguish a direct
request from an indirect one.
What I'm trying to do is properly implement error responses. As far as
I understand the spec, there are three kinds of error responses I need
to support:
* error responses to direct requests that need to be sent KV-encoded,
* error responses to indirect requests that should be sent back
to openid.return_to as a redirect,
* error responses to malformed indirect requests (esp. lacking
openid.return_to) that should be displayed human-readable to user.
As far as I can guess, a request having openid.return_to is most likely
an indirect request. But how to distinguish a direct request from a
malformed indirect request?
The spec is mostly putting overlapping rules on direct and indirect
requests. It also lists the uses for particular kinds of requests but
that doesn't seem normative, and doesn't solve malformed request
problem.
The only other heuristic I can think of is using the Accept header,
assuming that a web browser would list any kind of HTML format there
and OpenID client wouldn't.
Could any of you help me? I've tried on stackoverflow.com already [1]
and didn't get a single answer. Feel free to answer there if you'd like
to get the kudos.
[1]:http://stackoverflow.com/questions/17217502/how-to-distinguish-server-side-direct-request-from-an-indirect-request-in-open
--
Best regards,
Michał Górny
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-code/attachments/20130624/ccac1544/attachment.asc>
More information about the Code
mailing list