Invalid Association Handles

Thom McGrath lists at thezaz.com
Tue May 2 03:32:56 UTC 2006 

After reading the spec a number of times, I must say I'm a little  
confused. During an 'associate' mode, I should create a new "smart- 
mode" associate handle and return it. Where I get confused is in the  
checkid_* methods. If my server is sent a handle that is invalid,  
what is the *correct* way to handle this? The spec says, for the  
value of openid.assoc_handle:

"Optional. Consumer must use dumb mode (check_authentication mode) if  
an assoc_handle isn't provided. Also, if you use an assoc_handle the  
server doesn't know about, it'll pick its own and you'll have to use  
dumb mode as well."

Later, for the response openid.invalidate_handle:

"Optional. If the server didn't accept/recognize your provided  
assoc_handle for whatever reason, it'll choose its own to use, and  
copy the one you provided back into invalidate_handle, to tell you to  
stop using it. You should then send it along in your  
check_authentication request to verify it actually should be dropped."

So let me verify my understanding. If the handle is good, simply  
continue. If it is empty or incorrect, create one and set the  
openid.assoc_handle to the handle. If the provided handle is  
incorrect, set openid.invalidate_handle response to the incorrect  
handle. The consumer should no longer use this handle. Now what?  
Should I remove the handle from my database? Should I deny all  
subsequent requests that contain this handle? Or should I keep  
issuing new handles, even though the consumer keeps using a handle  
that it has been told is invalid?

I ask because the OpenID Server Test Tool does not respect the  
openid.invalidate_handle response, and continues to use an expired  
handle anyway. (The handle is only invalid because I force it to  
expire early, thus intentionally causing this issue. This is simply a  
matter of testing my server, not the tool using handles past the  
expiration date.) I want to know what the correct behavior is, as it  
appears to be undefined.

--
Thom McGrath, <http://www.thezaz.com/>
"You don't need eyes to see, you need vision" - Maxi Jazz in  
"Reverence" by Faithless

More information about the yadis mailing list