Mercurial > openid
changeset 39:f6b3fbf10dac
Proper handling of known vs. to-be-chosen identifiers
author | Adam Chlipala <adam@chlipala.net> |
---|---|
date | Wed, 01 Jun 2011 07:51:55 -0400 (2011-06-01) |
parents | 8d23d76b5d48 |
children | 5415f1ded564 |
files | src/ur/openid.ur src/ur/openid.urs src/ur/openidUser.ur tests/test.ur |
diffstat | 4 files changed, 33 insertions(+), 9 deletions(-) [+] |
line wrap: on
line diff
--- a/src/ur/openid.ur Mon May 16 22:31:26 2011 -0400 +++ b/src/ur/openid.ur Wed Jun 01 07:51:55 2011 -0400 @@ -41,6 +41,10 @@ | Stateful of {AssociationType : association_type, AssociationSessionType : association_session_type} +datatype authentication_mode = + ChooseIdentifier of string + | KnownIdentifier of string + table associations : { Endpoint : string, Handle : string, Typ : serialized association_type, Key : string, Expires : time } PRIMARY KEY Endpoint @@ -384,8 +388,18 @@ val realmString = case r.Realm of None => "" | Some realm => "&openid.realm=" ^ realm + + val (ident, claimed) = + case r.Identifier of + ChooseIdentifier s => (eatFragment s, "http://specs.openid.net/auth/2.0/identifier_select") + | KnownIdentifier s => + let + val s = eatFragment s + in + (s, s) + end in - dy <- discover r.Identifier; + dy <- discover ident; case dy of None => return "Discovery failed" | Some dy => @@ -397,8 +411,8 @@ case r.Association of Stateless => redirect (bless (dy ^ begin ^ "openid.ns=http://specs.openid.net/auth/2.0&openid.mode=checkid_setup" - ^ "&openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select" - ^ "&openid.identity=http://specs.openid.net/auth/2.0/identifier_select&openid.assoc_handle=" + ^ "&openid.claimed_id=" ^ claimed + ^ "&openid.identity=" ^ claimed ^ "&openid.assoc_handle=" ^ "&openid.return_to=" ^ show (effectfulUrl returnTo) ^ realmString)) | Stateful ar => assoc <- association ar.AssociationType ar.AssociationSessionType dy; @@ -407,8 +421,8 @@ | AssAlternate _ => return "Association failure: server didn't accept its own alternate association modes" | Association assoc => redirect (bless (dy ^ begin ^ "openid.ns=http://specs.openid.net/auth/2.0&openid.mode=checkid_setup" - ^ "&openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select" - ^ "&openid.identity=http://specs.openid.net/auth/2.0/identifier_select&openid.assoc_handle=" + ^ "&openid.claimed_id=" ^ claimed + ^ "&openid.identity=" ^ claimed ^ "&openid.assoc_handle=" ^ assoc.Handle ^ "&openid.return_to=" ^ show (effectfulUrl returnTo) ^ realmString)) end end
--- a/src/ur/openid.urs Mon May 16 22:31:26 2011 -0400 +++ b/src/ur/openid.urs Wed Jun 01 07:51:55 2011 -0400 @@ -72,6 +72,16 @@ | Stateful of {AssociationType : association_type, AssociationSessionType : association_session_type} +(* It is possible to request authentication in two different modes: *) + +datatype authentication_mode = + ChooseIdentifier of string + (* The provider prompts the user to select his identity. + * The string argument should be a generic endpoint, e.g., + * "https://www.google.com/accounts/o8/id". *) + | KnownIdentifier of string + (* Require authentication as this precise identifier. *) + (* An authentication attempt terminates in one of four ways. * First, the user might get bored and surf away, never finishing the process. * If so, your application will never be told explicitly. @@ -110,7 +120,7 @@ * crypto that you ask for, the library automatically * switches to a mode that the server advertises as * supported. *) - Identifier : string, + Identifier : authentication_mode, (* The URL that the user claims identifies him. * It may also point to a generic authentication service * that will take care of deciding the proper
--- a/src/ur/openidUser.ur Mon May 16 22:31:26 2011 -0400 +++ b/src/ur/openidUser.ur Wed Jun 01 07:51:55 2011 -0400 @@ -272,7 +272,7 @@ msg <- Openid.authenticate (opCallback after ses) {Association = M.association, Realm = M.realm, - Identifier = ident}; + Identifier = Openid.KnownIdentifier ident}; error <xml>Login with your identity provider failed: {[msg]}</xml> fun doSignup after r = @@ -287,7 +287,7 @@ msg <- Openid.authenticate (opCallback after ses) {Association = M.association, Realm = M.realm, - Identifier = r.Identifier}; + Identifier = Openid.ChooseIdentifier r.Identifier}; error <xml>Login with your identity provider failed: {[msg]}</xml> fun signup after =
--- a/tests/test.ur Mon May 16 22:31:26 2011 -0400 +++ b/tests/test.ur Wed Jun 01 07:51:55 2011 -0400 @@ -9,7 +9,7 @@ msg <- Openid.authenticate afterward {Association = Openid.Stateful {AssociationType = Openid.HMAC_SHA256, AssociationSessionType = Openid.NoEncryption}, - Identifier = r.Id, + Identifier = Openid.KnownIdentifier r.Id, Realm = Some "http://localhost:8080/"}; error <xml>{[msg]}</xml>