check_authentication mode is weird

Brad Fitzpatrick brad at danga.com
Tue Jun 14 07:24:21 PDT 2005


I implemented the check_authentication mode (the one for dumb consumers
that can't do caching or sha1, etc) but found it a little weird:

   -- you're sending a bunch of params to the server in a request
      but they look/feel like response parameters

   -- there are just a ton of parameters

   -- the signed attribute you send back will include "mode", but
      the openid.mode in the token_contents isn't present, so
      the server can only assume the mode is "id_res".  so I had to do:

    my $signed = $self->pargs("openid.signed") || "";
    my $token = "";
    foreach my $param (split(/,/, $signed)) {
        ...
        my $val = $param eq "mode" ? "id_res" : $self->pargs("openid.$param");
        ...
        $token .= "$param:$val\n";
    }

See the special exception for mode?  Gross.  It also means we can't have a
signature checking mode in the future for non-"id_res" modes.

Options:

   1) don't care.  (easiest for dumb consumers)  and then we just
      add a new check mode in the future if we need it.

   2) care, somehow.  (probably not worth it?)  I was thinking of
      maybe making a generic "check_sig" mode where consumer just
      sends "assoc_handle", "token", and "sig", and server just
      responds "yes" or "no", but that requires consumers making
      the token, concatenating it all.

Just wanted to note this, if anybody cares.  I'd like to hear some "who
cares" responses too if you actually don't care.

- Brad


More information about the yadis mailing list