[Openid-specs-ab] JS Code example for Basic.

Edmund Jay ejay at mgi1.com
Tue Apr 10 17:16:16 UTC 2012 

John,

The code is correct in that the fragment parameters are posted to'https://' + 
window.location.host + '/catch_response'
However, in the onreadystatechange function, when response from the POST is a 
HTTP 200 code, the current window's location is changed
params['state']. Unless, param['state'] is an URL, the browser might get an 
error because the location may not be a valid URL.
So I'm just proposing that the line be changed to some URL so that there is no 
dependency on the state parameter being a URL.
Or we can just delete that line and add some comments to say the UI should be 
updated or refreshed.




________________________________
From: John Bradley <ve7jtb at ve7jtb.com>
To: Edmund Jay <ejay at mgi1.com>
Cc: "<openid-specs-ab at lists.openid.net>" <openid-specs-ab at lists.openid.net>
Sent: Mon, April 9, 2012 6:52:15 PM
Subject: Re: [Openid-specs-ab] JS Code example for Basic.

Edmund,

The parameters from the fragment are posted to 'https://' + window.location.host 
+ '/catch_response'

You want the example path to be '/logged_in_site' ?

I don't get what you are referring to with the state parameter.

The redirect_uri would need to be https://client.example.com/cb that is why I 
included the GET.

I changed the parameter to postBody from queryString to make it clearer.

John B.


On 2012-04-09, at 9:46 PM, Edmund Jay wrote:

John,
>
>The code is correct, but only if the 'state' parameter in the request points a 
>new location where the user-agent will be redirected to after sending the data
>to the server.
>
>Otherwise, we should just say write :
>
>window.location = 'https://' + window.location.host + '/logged_in_site'
>
>or something similar.
>
>
>-- Edmund
>
>
>
>
>
>
>
________________________________
From: John Bradley <ve7jtb at ve7jtb.com>
>To: "<openid-specs-ab at lists.openid.net>" <openid-specs-ab at lists.openid.net>
>Sent: Mon, April 9, 2012 9:13:44 AM
>Subject: [Openid-specs-ab] JS Code example for Basic.
>
>I included a example JS in Basic that could be used by a RP to extract the 
>fragment and post it back to the server.
>
>I based it on a Google example, but changed it from GET to POST for security 
>reasons.
>
>I don't expect that it would work in all browsers, and would not work with no 
>script turned on.
>
>It is a example, covering all the conditions would take away from that.
>
>I am including it in the email for people to review.  
>
>I am not a AJAX programer, so it could be wrong.
>
>Feedback please.
>
>John B.
>
>GET /cb HTTP/1.1
>Host: client.example.com
>          
>          
>HTTP/1.1 200 OK
>Content-Type: text/html; charset=utf-8
>
><script type="text/javascript">
>
>// First, parse the query string
>var params = {}, queryString = location.hash.substring(1),
>    regex = /([^&=]+)=([^&]*)/g, m;
>while (m = regex.exec(queryString)) {
>  params[decodeURIComponent(m[1])] = decodeURIComponent(m[2]);
>}
>
>// And send the token over to the server
>var req = new XMLHttpRequest();
>// using POST so query isn't logged
>req.open('POST', 'https://' + window.location.host + '/catch_response', true);
>req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
>
>req.onreadystatechange = function (e) {
>  if (req.readyState == 4) {
>    if(req.status == 200){
>      window.location = params['state']
>  }
>  else if(req.status == 400) {
>        alert('There was an error processing the token.')
>    }
>    else {
>      alert('something else other than 200 was returned')
>    }
>  }
>};
>req.send(queryString);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120410/4875845b/attachment.html>

More information about the Openid-specs-ab mailing list