Python OpenID

[Carl Howells]

Dan Connolly wrote:
> Also, the use of from _module_ import * makes it harder
> to follow references from one part of the code to another.
> Could I talk you out of that? Maybe with a patch?

You're right that it does make things more complicated to follow.  I'm 
currently reworking the code anyway, so I'll take a look at getting that 
cleaned up.

And for future reference, we'll happily consider all patches. :)

> I'm still not clear on what credentials I'm giving to the server.
> 
> What stops J Random Black-hat from using my identity URL, once
> I've logged in and told the server about that consumer?
> 
> I guess he won't have the right credentials in his cookies?
> I'll have to study the protocol docs some more...

That's the basic idea.  My stupid sample server looks only for a cookie 
with the user's login name in it.  Obviously that isn't a secure 
example, but it isn't too difficult to see how to make an example at 
least be much better.  Cookie-based credentials are likely to be the 
most common, but they certainly aren't the only option.  The server can 
use any mechanism I can think of right now in theory, though some might 
not be suitable in terms of UI.

Thanks again for your feedback.

Carl