search

grnq / joid

Java OpenID = JOID OpenID providers and relying parties for OpenID 1.1 and 2.0
Other
4 stars 0 forks source link

Example Consumer not OpenID conform ? #23

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Hi there,

im currently playing around with the Joid examples which are quite usefull 
although i came 
across three issues that made me wonder: 

1. On a successfull authentication the Server returns to the examples index 
page. The example 
consumer then uses the Cookies set by the provider whithout validating the 
providers handle. 
Since the example consumer is stateless shouldn't there be a 
check_authentication message sent 
to the server?

2. The example consumer throws the error: "Cannot sign non-existent mapping: 
op_endpoint
" when sending an authentication request.

Is there anyone with this project that encountered the same problems or could 
correct me if i 
missundestood specifications.

Original issue reported on code.google.com by philip.p...@s-f.com on 21 Jan 2009 at 10:57

GoogleCodeExporter commented 9 years ago 
1. I don't think the example consumer is stateless. It relies on various 
attributes
added to the HttpSession. Further, the Nonce and Association objects are stored
(statefull) as per the spec (2.0:10) and check_verification seems to be related 
only
to those parts of the communication (2.0:11.3., 11.4.2.1.) 

2. I have not encountered this. The consumer example works fine for me with 
google,
yahoo and local OP example IDs.

But, I'm totally new to OpenID and this code, so I am NOT an expert.

For anyone who might NOT care about Java 1.4 compatibility I've been hacking 
with
JOID to get it refactored to a point where I am comfortable with it. You might 
find
my version more to your liking. Or you might think I'm an idiot. Anyway, it's 
here:

http://swdouglass.com/wiki/Wiki.jsp?page=JOID

Constructive feedback appreciated....

Original comment by scottdou...@gmail.com on 12 Feb 2009 at 8:03

GoogleCodeExporter commented 9 years ago 
Hi Scott,

thanks for your attention. 
At least the JOID examples are incomplete. Verification is part of the OpenID 
Standard Protocoll and it is not 
included in the examples. Instead the Cookies are searched for a User name. As 
far as I remember there is no 
check for id_res or cancel mode included. 

I switched to OpenID4Java in the meantime. It is not as easy to setup but the 
examples are way more self 
explaining.

Original comment by philip.p...@s-f.com on 16 Feb 2009 at 2:38