[Zope-PAS] Re: OpenID PAS Plugin

Tres Seaver tseaver at palladion.com
Wed Nov 23 16:23:23 EST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian Ellin wrote:
> PAS Developers,
> 
> I'm working on an OpenID PAS Authentication plugin for zope.  For
> those of you who are not familiar with OpenID, it is a decentralized
> URL-based identity system originally developed by livejournal.com. 
> For more info have a look at openid.net.
> 
> OpenID authentication is performed under the user's supervision.  A
> typical login session, and from a user's perspective looks something
> like this:
> 
> Scenario:  Trying to log in to example.com with server.com as my openid server
> 1) User visits example.com(running Zope) and enters her OpenID URL
> into the login form.
> 2) example.com must verify that the User is actually who they say they
> are, and does so by contacting the openid server for the URL.  This is
> done by sending an HTTP redirect through the user's browser to
> server.com with some info attached to the url.
> 3) Server.com asks the user if they trust example.com with their
> identity, and if so, then sends a redirect back to the example.com
> with some more info emebeded in the URL for verification.
> 4) User is loggen into example.com with their OpenID.
> 
> Leaving out all the details of OpenID, my plugin needs to at least be
> able to send a redirect to server.com (Step 2) before the
> authenticateCredentials step(Step 3).
> 
> Where, and through what mechanism is the right place to put this
> processing and redirect?  At first glance, it looks like I should be
> sending the redirect(Step 2) after a custom extractCredentials, but
> i'm not sure exactlty how to do this.  Does this sound correct?  I
> could use a nudge in the right direction here.
> 
> I've been using the GMailAuthPlugin as inspiration for my plugin.
> https://svn.plone.org/svn/collective/PASPlugins/GMailAuthPlugin/

Your plugin needs to implement IChallengePlugin, so that when
credentials are needed, it gets called;  at that point, it redirects.
The extractCredentials stuff will then need to pick off whatever values
are needed from the URL passed from server.com, and somehow arrange to
persist them (e.g., in the session) for future requests.


Tres.
- --
===================================================================
Tres Seaver          +1 202-558-7113          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDhN3L+gerLs4ltQ4RAiUmAJwIoUDSkKHwxt1c4cmz0QwB9T9eZwCcD/ZU
JaPX0DH+slryfYEaVY3QdnM=
=fC52
-----END PGP SIGNATURE-----



More information about the Zope-PAS mailing list