intertwingly

It’s just data

Programming with Gotos


OK, I’ve not got an OpenID server on Rails, and seem to be over the hump understanding OpenID.

Inhibitors:

As I said before, constructing test cases helps me.  Here’s what I found:

Normal flow (stateless consumer):

A form is presented.  POSTing your identity URL to it causes the consumer to fetch that page, find the server, and return a redirect to that server, along with a “return_to” URI as a query parameter.  In the “steady state” case, that server simply returns a redirect back to the consumer, adding tokens, again as query parameters.  To close the loop, the consumer then directly contacts the server, and asks “did you provide these tokens?”

Normal flow (stateful consumer):

A form is presented.  POSTing your identity URL to it causes the consumer to fetch that page, find the server, and return a redirect to that server, along with a “return_to” URI as a query parameter.  In the “steady state” case, that server simply returns a redirect back to the consumer, adding tokens, again as query parameters.  As the consumer had previously established a shared secret, it can verify those tokens for itself.

A few variations make this even more interesting.  Once the browser has been redirected to the server, the server has access to server specific cookies, and can present whatever forms it likes.  All it has to do is ensure that it propagates (or retains) the “return_to” URI.  The consumer also has an interface which requests that this not be done, and for control to return back immediately, even in the case of failure.

As I said, I am doing this as a learning exercise.  I suspect that others may learn from what I did.  Meanwhile, the folks at Janrain are busy building a library that others may want to actually deploy.