9

I am developing the authentication part of my app and I've run into issues with coding authentication using OpenID.

I've looked at the Tipfy example code, but it seems written under the assumption that the OpenID provider is hard-coded to google.

I would like the user to be able to provide any OpenID they desire (isn't that the point?).

Does anyone have any example code that shows a user logging in using a user-supplied OpenID?

systempuntoout
  • 71,966
  • 47
  • 171
  • 241
Noah McIlraith
  • 14,122
  • 7
  • 31
  • 35

2 Answers2

6

Does Tipfy allow any OpenID authentication?

If you want to authenticate any OpenID Url with Tipfy, you can't do it out of the box.
One main reason is because Tipfy does not have any discovery mechanism to retrieve the OpenID Endpoint from a given OpenID user url.

What Tipfy is missing?

Tipfy does not allow the point b. of the following workflow :
a. user submits foo.blogspot.com
b. the framework retrieves foo.blogspot.com getting the OpenId endpoint from the html page:

<link rel="openid.server" href="http://www.blogger.com/openid-server.g" />

c. the framework redirects the user to the remote login page.

What Tipfy really offers?

The Tipfy openid extension* simply offers the OpenIdMixin that is just a base class useful for building OpenID support to a specific platform (Google for example).
Indeed, GoogleMixin class extends OpenIdMixin:

class GoogleMixin(OpenIdMixin, OAuthMixin):
    """A :class:`tipfy.RequestHandler` mixin that implements Google OpenId /
    OAuth authentication.

and it has the Google OpenID endpoint hard-corded:

_OPENID_ENDPOINT = 'https://www.google.com/accounts/o8/ud'

The name OpenIdMixin is a little bit misleading near other classes names like GoogleMixin, FriendFeedMixin, FaceBookMixin etc. etc; the docstring should be more clear to specify that the class should just be extended as a base class and not used directly.

What do you need to support any OpenID url in your application using Tipfy?

You should use the same consumer userland library that Google App Engine has adopted to offer OpenID support; here the source code and here a live example.

In the specific, have a closer look to openid.consumer.consumer.py file and how the XRDS/OpenID discovery happens; I think that with some work, you should be able to integrate this part into Tipfy OpenIdMixin.

* the OpenID code is ported from tornado.auth

systempuntoout
  • 71,966
  • 47
  • 171
  • 241
2

That code is just an example. You just need to allow the user to specify their OpenID provider's endpoint URL via a form, and get the value from the POST. It's just a string.

Daniel Roseman
  • 588,541
  • 66
  • 880
  • 895
  • I've tried this, but I think the endpoint (or whatever) needs to get resolved/discovered from it somehow. `https://www.google.com/accounts/o8/id` -> `https://www.google.com/accounts/o8/ud` – Noah McIlraith Jan 31 '11 at 15:32
  • That's a typo, I think. Should be `id`. – Daniel Roseman Jan 31 '11 at 15:37
  • No, it's not a typo, for Yahoo it would be `https://me.yahoo.com/` -> `https://open.login.yahooapis.com/openid/op/auth` – Noah McIlraith Jan 31 '11 at 15:52
  • Running the code as written works fine (`ud`), but 'fixing' it will cause it to no longer work. – Noah McIlraith Jan 31 '11 at 15:57
  • @Nick Jonson: Because it isn't a correct answer, this is the first thing I tried, it did not work. – Noah McIlraith Feb 01 '11 at 11:00
  • @Noah Then it would be helpful if you'd illustrate _why_ it doesn't work. App Engine in general supports any OpenID endpoint. – Nick Johnson Feb 01 '11 at 13:05
  • @Nick Johnson: The issue isn't with GAE's OpenID, but with Tipfy's. For example, using `http://me.yahoo.com/` results in the user being redirect to the URL contained in this pastebin: http://pastebin.com/Uar1yykN . Using different OpenID providers results in the same problem. – Noah McIlraith Feb 01 '11 at 15:13