How to implement an OpenID client from scratch?

Question

How to implement an OpenID client from scratch?

I need to write an OpenID client for a new platform (some kind of ridiculous taste of server-side javascript), and I'm trying to understand the authentication sequence. I read the Ruby implementation and wrote down the tests of the request / response types that are generated.

The original request is in the form:

this.getBeginUrl = function(options){
    if(!options) throw("getBeginUrl requires an options hash of the form: {return_to_path:'/path/to/return?something', base:'http://server.name'}")
    if(!options.return_to_path) throw("must supply return_to_path");
    if(!options.base) throw ("must supply base url"); 
    var params = {
        'assoc_handle':getAssocHandle(),
        'ax.mode':'fetch_request',
        'claimed_id':'http://specs.openid.net/auth/2.0/identifier_select',
        'identity':'http://specs.openid.net/auth/2.0/identifier_select',
        'mode':'checkid_setup',
        'ns':'http://specs.openid.net/auth/2.0',
        'ns.ax':'http://openid.net/srv/ax/1.0',
        'ns.sreg':'http://openid.net/extensions/sreg/1.1',
        'realm':options.base,
        'return_to':options.base + options.return_to_path + '&open_id_complete=1' // Assuming the return-to url has a ? in it
    }
    if(options.required) params['sreg.required'] = options.required;
    var result = [];
    for(var e in params) result.push([escape('openid.'+e)] +"=" +escape(params[e]));
    return openid_url + '?' + result.join('&'); // Assuming the openid url didn't have a ? in it already 
}

So my question is how to create this field assoc_handleand how to check what is returned from the openid server. And something about nonces.

The answer when I submit this request takes the form:

'openid.op_endpoint':'https://login.launchpad.net/+openid',           
    'openid.signed':'assoc_handle,claimed_id,identity,invalidate_handle,mode,ns,ns.sreg,op_endpoint,response_nonce,return_to,signed,sreg.nickname',
   'openid.sig':'HMeqwtQ8vG4aNOvRFVSnuOfWv30=',
   'openid.response_nonce':'2010-09-29T10:50:31Z3nPoQ3',
   'open_id_complete':'1',
   'openid.claimed_id':'https://login.launchpad.net/+id/ref466F',
   'foo':'bar',
   'openid.assoc_handle':'{HMAC-SHA1}{4ca319f7}{+KiTxQ==}',
   'openid.sreg.nickname':'michaelforrest',
   'openid.ns':'http://specs.openid.net/auth/2.0',
   'openid.identity':'https://login.launchpad.net/+id/ref466F',
   'openid.ns.sreg':'http://openid.net/extensions/sreg/1.1',
   'openid.mode':'id_res',
   'openid.invalidate_handle':'foo',
   'openid.return_to':'http://localhost:9000/ep/openid/?foo=bar&open_id_complete=1',

So, I think I need to understand how to verify that this answer came from the original request before saving the contents of the nickname field (which is all that I'm really interested in checking) somewhere.

+3

openid

Michael forrest Sep 29 '10 at 13:50

source share

1

Mewp · Answer 1 · 2010-09-29T15:45:16+0000

-, . -, . , , , , , , .

, , , .

assoc_handle , . 8 , . , ( ).

, , , openid.signed, openid.sig, openid.mode - check_authentication.

- , : utc, iso 8601.

, sreg.nickname. claimed_id. sreg.nickname , .

, . .

How to implement an OpenID client from scratch?

More articles: