Closed GoogleCodeExporter closed 8 years ago
I've looked at the code and ConsumerManager assumes that a failed association
response has a HttpStatus.SC_BAD_REQUEST as status, but I don't see this
requirement
in the specifications. According to me, a HttpStatus.SC_OK status is valid for
a
failed association response.
I think the test should be if the error_code parameter is present.
Another problem with failed association responses is that the AssociationError
class
lists session_type as a required field. According to the 2.0 specification,
this
field isn't required, but optional.
Original comment by j...@net-v.com
on 3 Jul 2009 at 2:27
Associations are defined as direct communication, direct error messages must
have status code 400 per Section 5.1.2.2. See
http://openid.net/specs/openid-authentication-2_0.html#direct_comm
The session_type has since been made optional in AssociationResponse.
Original comment by Johnny.B...@gmail.com
on 5 Oct 2011 at 5:51
Original issue reported on code.google.com by
j...@net-v.com
on 24 Jun 2009 at 12:24