[OpenID] ANN: OpenID4Java 0.9.4 - OpenID draft 12 and AX draft 7 support
Jack
jack at jackpot.uk.net
Mon Oct 1 16:33:55 UTC 2007
Hans Granqvist wrote:
> It would be quite useful if there was an official OpenID reference
> implementation, both RP and OP. Without a reference implemen- tation,
> a standard probably should not be considered final.
>
> Ref. implementations are of enormous value for standards adoption.
> Think for example where the Java servlets standard would have been
> without Apache Tomcat.
Somewhere closer to Jetty, perhaps? Tomcat is and always has been rotten
code; and it has suffered bloat, so that it isn't any longer just a
servlet implementation - it's halfway to J2EE. There's nothing about
JNDI in the servlet spec, for example.
Actually, I agree. But as far as OpenID is concerned a test-suite would
be even more useful, I think.
A reference implementation of an OP would allow a developer to construct
an RP that had a fair chance of being compliant; an OP needs to accept
any standard-compliant requests from an RP. But what would a reference
implementation of a RP do? To comply with the standards, you need to
support RPs that vary quite significantly in what they will ask for. So
a reference RP needs to be configurable to issue 1.0, 1.1, and 2.0
requests, as well as requests for extensions, unencrypted requests and
requests with no association.
I've been thinking of trying to construct a testing engine that could be
put on a public website, but I suspect it will present significant
problems. At the least, to construct an automated test, you need to be
able to reliably scrape login screens. Perhaps, if the tester can input
some scraping hints, that might make it easier.
Is anyone working on a test engine that could be used to validate an
arbitrary RP or an OP, without getting involved in collusion? At the
moment, I'm testing using debug lines, but my tests are critically
dependent on my own understanding of the specs, which is evidently
deficient. A public test-suite would be open to critical appraisal, and
so would make for a much more robust and well-understood spec.
--
Jack Cleaver.
More information about the general
mailing list