Python OpenID

[Dan Connolly]

On Tue, 2005-07-05 at 10:01 -0700, Carl Howells wrote:
> Hopefully this will be enough information for you to understand what's 
> going on in each step.

I think so... thanks!

Details...

> Dan Connolly wrote:
> > I can't tell if it's working or not. What's
> > supposed to happen after step 3 where I
> > put http://localhost:8082/whoever in the form?
> > 
> > I get page that says "Log In!" and
> > "No password used because this is just an example."
> > and when I hit the "Log In" button, it just comes
> > back to the same page.
> > 
> > Is that as designed? I'm not really clear on how
> > OpenID works yet.
> 
> Ok, looks like you're getting hung up by my sample OpenID server's 
> design.  I suppose its functionality isn't all that clear if you haven't 
> read its code.

Well, I tried to read the code, but not knowing what it was
supposed to do hindered me quite a bit. I'm getting further
now...

Also, the use of from _module_ import * makes it harder
to follow references from one part of the code to another.
Could I talk you out of that? Maybe with a patch?

> The first thing to note is that the background color of the page 
> indicates whether the OpenID server or consumer is responsible for the 
> page.  A yellow background indicates a page the consumer drew, a purple 
> background indicates a page the openid server drew.

I started to suspect that...

> Second, the server has two jobs.  Its first job is to send identity 
> pages.  Those can be reached via:
> 
> http://localhost:8082/username
> 
> Those pages are simple, and consist just of the minimal useful 
> information:  What the username is, the <link rel=...> tags in the HTML 
> head, and a link back to the server homepage.
> 
> So if you go to the consumer example:
> 
> http://localhost:8081/
> 
> And type in an identity url like:
> 
> http://localhost:8082/bob
> 
> The consumer will try to verify that you own that address, so it will 
> ask the server if it can verify it.  The server can't, initially, for 
> two reasons.  First, you aren't logged in as bob.  Second, bob hasn't 
> given permission for the consumer to know his identity URL.

Hmm... I just typed my identity URL into the consumer, didn't I?
Oh... I haven't told the *server* that I'm happy for the
consumer to know my identity URL.

> So the screen you're seeing is asking you to log in as the user you're 
> trying to authenticate as.  As it's just a stupid example, it doesn't 
> use passwords or actual accounts, so just feed it the username that goes 
> with your identity url.

Ah... I get it now...

>   After you correctly input that username, it 
> will ask you if you want to allow the consumer to know your identity. 
> If you allow that, it returns to the consumer, who now has your identity 
> verified.

I'm still not clear on what credentials I'm giving to the server.

What stops J Random Black-hat from using my identity URL, once
I've logged in and told the server about that consumer?

I guess he won't have the right credentials in his cookies?
I'll have to study the protocol docs some more...

> The example server sets a cookie to track your current identity, and it 
> uses RAM-based storage to track which trust_roots you've allowed to see 
> the identity for each user.
> 
> Hopefully this will be enough information for you to understand what's 
> going on in each step.

I think so... thanks!

>   Clearly, the README with the example needs to be 
> updated, and I'll work on that.
> 
> Thanks for your feedback!
> 
> Carl
-- 
Dan Connolly, W3C http://www.w3.org/People/Connolly/
D3C2 887B 0F92 6005 C541  0875 0F91 96DE 6E52 C29E