[Openid-specs-ab] JS Code example for Basic.

Tue Apr 10 01:52:15 UTC 2012

Edmund,

The parameters from the fragment are posted to 'https://' + window.location.host + '/catch_response'

You want the example path to be '/logged_in_site' ?

I don't get what you are referring to with the state parameter.

The redirect_uri would need to be https://client.example.com/cb that is why I included the GET.

I changed the parameter to postBody from queryString to make it clearer.

John B.

On 2012-04-09, at 9:46 PM, Edmund Jay wrote:

> John,
> 
> The code is correct, but only if the 'state' parameter in the request points a new location where the user-agent will be redirected to after sending the data
> to the server.
> 
> Otherwise, we should just say write :
> 
> window.location = 'https://' + window.location.host + '/logged_in_site'
> 
> or something similar.
> 
> 
> -- Edmund
> 
> 
> 
> 
> From: John Bradley <ve7jtb at ve7jtb.com>
> To: "<openid-specs-ab at lists.openid.net>" <openid-specs-ab at lists.openid.net>
> Sent: Mon, April 9, 2012 9:13:44 AM
> Subject: [Openid-specs-ab] JS Code example for Basic.
> 
> I included a example JS in Basic that could be used by a RP to extract the fragment and post it back to the server.
> 
> I based it on a Google example, but changed it from GET to POST for security reasons.
> 
> I don't expect that it would work in all browsers, and would not work with no script turned on.
> 
> It is a example, covering all the conditions would take away from that.
> 
> I am including it in the email for people to review.  
> 
> I am not a AJAX programer, so it could be wrong.
> 
> Feedback please.
> 
> John B.
> 
> GET /cb HTTP/1.1
> Host: client.example.com
>           
>           
> HTTP/1.1 200 OK
> Content-Type: text/html; charset=utf-8
> 
> <script type="text/javascript">
> 
> // First, parse the query string
> var params = {}, queryString = location.hash.substring(1),
>     regex = /([^&=]+)=([^&]*)/g, m;
> while (m = regex.exec(queryString)) {
>   params[decodeURIComponent(m[1])] = decodeURIComponent(m[2]);
> }
> 
> // And send the token over to the server
> var req = new XMLHttpRequest();
> // using POST so query isn't logged
> req.open('POST', 'https://' + window.location.host + '/catch_response', true);
> req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
> 
> req.onreadystatechange = function (e) {
>   if (req.readyState == 4) {
>     if(req.status == 200){
>       window.location = params['state']
>   }
>   else if(req.status == 400) {
>         alert('There was an error processing the token.')
>     }
>     else {
>       alert('something else other than 200 was returned')
>     }
>   }
> };
> req.send(queryString);

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120409/784228cd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4937 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120409/784228cd/attachment.p7s>