Invalid Association Handles
lists at thezaz.com
Tue May 2 03:32:56 UTC 2006
After reading the spec a number of times, I must say I'm a little
confused. During an 'associate' mode, I should create a new "smart-
mode" associate handle and return it. Where I get confused is in the
checkid_* methods. If my server is sent a handle that is invalid,
what is the *correct* way to handle this? The spec says, for the
value of openid.assoc_handle:
"Optional. Consumer must use dumb mode (check_authentication mode) if
an assoc_handle isn't provided. Also, if you use an assoc_handle the
server doesn't know about, it'll pick its own and you'll have to use
dumb mode as well."
Later, for the response openid.invalidate_handle:
"Optional. If the server didn't accept/recognize your provided
assoc_handle for whatever reason, it'll choose its own to use, and
copy the one you provided back into invalidate_handle, to tell you to
stop using it. You should then send it along in your
check_authentication request to verify it actually should be dropped."
So let me verify my understanding. If the handle is good, simply
continue. If it is empty or incorrect, create one and set the
openid.assoc_handle to the handle. If the provided handle is
incorrect, set openid.invalidate_handle response to the incorrect
handle. The consumer should no longer use this handle. Now what?
Should I remove the handle from my database? Should I deny all
subsequent requests that contain this handle? Or should I keep
issuing new handles, even though the consumer keeps using a handle
that it has been told is invalid?
I ask because the OpenID Server Test Tool does not respect the
openid.invalidate_handle response, and continues to use an expired
handle anyway. (The handle is only invalid because I force it to
expire early, thus intentionally causing this issue. This is simply a
matter of testing my server, not the tool using handles past the
expiration date.) I want to know what the correct behavior is, as it
appears to be undefined.
Thom McGrath, <http://www.thezaz.com/>
"You don't need eyes to see, you need vision" - Maxi Jazz in
"Reverence" by Faithless
More information about the yadis