TheBeruriahIncident / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
0 stars 0 forks source link

Cache TTL for discovery documents BY DEFAULT #181

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

1. Setup an OpenID identity through delegation to a provider
    For example, add these two lines to an HTML webpage's <head>:

        <link rel="openid2.provider" href="http://www.myopenid.com/server"/>
        <link rel="openid.server" href="http://www.myopenid.com/server" />
        <link rel="openid2.local_id" href="http://youraccount.myopenid.com/"/>
        <link rel="openid.delegate" href="http://youraccount.myopenid.com/" />

2. For the sake of the example, assume the above setup identity (URL of the 
webpage) is http://example.org/doe

3. Run the simple-openid from samples/ in the openid4java sources.

3. Login there with identity http://example.org/doe

4. logout

5. Change the delegation to another provider
    E.g. replace the above lines by:

        <link rel="openid2.provider" href="http://www.livejournal.com/openid/server.bml" />
        <link rel="openid.server" href="http://www.livejournal.com/openid/server.bml" />
        <link rel="openid2.local_id" href="http://yourotheraccount.livejournal.com/"/>
        <link rel="openid.delegate" href="http://yourotheraccount.livejournal.com/" />

6. Wait for any time (even a year...), NOT STOPPING the simple-openid

7. Login at the simple-openid with identity http://example.org/doe

What is the expected output?

Redirect to the second provider (livejournal in the example) for authentication.

What do you see instead?

Redirect to the first provider (MyOpenID in the example) for authentication.

What version of the product are you using?

0.9.6.662

On what operating system?

Debian GNU/Linux amd64

Please provide any additional information below.

While it is *possible* for a library user to set a TTL (cf issue 138), there is 
none by default, and the discovery result is cached indefinitely for the 
duration of the process. E.g. gerrit does not set a TTL and thus gets hit by 
this. Please do the right thing *by* *default* and if no TTL is set, use a 
reasonable value. For example 5 minutes.

Original issue reported on code.google.com by foxyblo...@hotmail.com on 22 Jun 2012 at 9:45

GoogleCodeExporter commented 9 years ago
Fixed in r686, default cache TTL is now 1 minute; clients wanting more can 
change it using the API added with issue 138.

Original comment by Johnny.B...@gmail.com on 31 Oct 2012 at 8:22