Python OpenID

Carl Howells chowells at janrain.com
Tue Jul 5 10:01:52 PDT 2005


Dan Connolly wrote:
> I can't tell if it's working or not. What's
> supposed to happen after step 3 where I
> put http://localhost:8082/whoever in the form?
> 
> I get page that says "Log In!" and
> "No password used because this is just an example."
> and when I hit the "Log In" button, it just comes
> back to the same page.
> 
> Is that as designed? I'm not really clear on how
> OpenID works yet.

Ok, looks like you're getting hung up by my sample OpenID server's 
design.  I suppose its functionality isn't all that clear if you haven't 
read its code.

The first thing to note is that the background color of the page 
indicates whether the OpenID server or consumer is responsible for the 
page.  A yellow background indicates a page the consumer drew, a purple 
background indicates a page the openid server drew.

Second, the server has two jobs.  Its first job is to send identity 
pages.  Those can be reached via:

http://localhost:8082/username

Those pages are simple, and consist just of the minimal useful 
information:  What the username is, the <link rel=...> tags in the HTML 
head, and a link back to the server homepage.

So if you go to the consumer example:

http://localhost:8081/

And type in an identity url like:

http://localhost:8082/bob

The consumer will try to verify that you own that address, so it will 
ask the server if it can verify it.  The server can't, initially, for 
two reasons.  First, you aren't logged in as bob.  Second, bob hasn't 
given permission for the consumer to know his identity URL.

So the screen you're seeing is asking you to log in as the user you're 
trying to authenticate as.  As it's just a stupid example, it doesn't 
use passwords or actual accounts, so just feed it the username that goes 
with your identity url.  After you correctly input that username, it 
will ask you if you want to allow the consumer to know your identity. 
If you allow that, it returns to the consumer, who now has your identity 
verified.

The example server sets a cookie to track your current identity, and it 
uses RAM-based storage to track which trust_roots you've allowed to see 
the identity for each user.

Hopefully this will be enough information for you to understand what's 
going on in each step.  Clearly, the README with the example needs to be 
updated, and I'll work on that.

Thanks for your feedback!

Carl


More information about the yadis mailing list