[Openid-specs-ab] JS Code example for Basic.
John Bradley
ve7jtb at ve7jtb.com
Tue Apr 10 17:20:21 UTC 2012
OK I get it.
On 2012-04-10, at 2:16 PM, Edmund Jay wrote:
> John,
>
> The code is correct in that the fragment parameters are posted to 'https://' + window.location.host + '/catch_response'
> However, in the onreadystatechange function, when response from the POST is a HTTP 200 code, the current window's location is changed
> params['state']. Unless, param['state'] is an URL, the browser might get an error because the location may not be a valid URL.
> So I'm just proposing that the line be changed to some URL so that there is no dependency on the state parameter being a URL.
> Or we can just delete that line and add some comments to say the UI should be updated or refreshed.
>
>
> From: John Bradley <ve7jtb at ve7jtb.com>
> To: Edmund Jay <ejay at mgi1.com>
> Cc: "<openid-specs-ab at lists.openid.net>" <openid-specs-ab at lists.openid.net>
> Sent: Mon, April 9, 2012 6:52:15 PM
> Subject: Re: [Openid-specs-ab] JS Code example for Basic.
>
> Edmund,
>
> The parameters from the fragment are posted to 'https://' + window.location.host + '/catch_response'
>
> You want the example path to be '/logged_in_site' ?
>
> I don't get what you are referring to with the state parameter.
>
> The redirect_uri would need to be https://client.example.com/cb that is why I included the GET.
>
> I changed the parameter to postBody from queryString to make it clearer.
>
> John B.
>
> On 2012-04-09, at 9:46 PM, Edmund Jay wrote:
>
>> John,
>>
>> The code is correct, but only if the 'state' parameter in the request points a new location where the user-agent will be redirected to after sending the data
>> to the server.
>>
>> Otherwise, we should just say write :
>>
>> window.location = 'https://' + window.location.host + '/logged_in_site'
>>
>> or something similar.
>>
>>
>> -- Edmund
>>
>>
>>
>>
>> From: John Bradley <ve7jtb at ve7jtb.com>
>> To: "<openid-specs-ab at lists.openid.net>" <openid-specs-ab at lists.openid.net>
>> Sent: Mon, April 9, 2012 9:13:44 AM
>> Subject: [Openid-specs-ab] JS Code example for Basic.
>>
>> I included a example JS in Basic that could be used by a RP to extract the fragment and post it back to the server.
>>
>> I based it on a Google example, but changed it from GET to POST for security reasons.
>>
>> I don't expect that it would work in all browsers, and would not work with no script turned on.
>>
>> It is a example, covering all the conditions would take away from that.
>>
>> I am including it in the email for people to review.
>>
>> I am not a AJAX programer, so it could be wrong.
>>
>> Feedback please.
>>
>> John B.
>>
>> GET /cb HTTP/1.1
>> Host: client.example.com
>>
>>
>> HTTP/1.1 200 OK
>> Content-Type: text/html; charset=utf-8
>>
>> <script type="text/javascript">
>>
>> // First, parse the query string
>> var params = {}, queryString = location.hash.substring(1),
>> regex = /([^&=]+)=([^&]*)/g, m;
>> while (m = regex.exec(queryString)) {
>> params[decodeURIComponent(m[1])] = decodeURIComponent(m[2]);
>> }
>>
>> // And send the token over to the server
>> var req = new XMLHttpRequest();
>> // using POST so query isn't logged
>> req.open('POST', 'https://' + window.location.host + '/catch_response', true);
>> req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
>>
>> req.onreadystatechange = function (e) {
>> if (req.readyState == 4) {
>> if(req.status == 200){
>> window.location = params['state']
>> }
>> else if(req.status == 400) {
>> alert('There was an error processing the token.')
>> }
>> else {
>> alert('something else other than 200 was returned')
>> }
>> }
>> };
>> req.send(queryString);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120410/28b06635/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4937 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120410/28b06635/attachment.p7s>
More information about the Openid-specs-ab
mailing list