I read through this post:
Why does it look so complicated to implement?
IMO, it's just to send request to a remote site and retrieve the response.
What's the problem those OpenID libraries are dealing with?
+3
A:
Well, there's more than one request involved, you need to establish association, send user to OP, verify the response, but no, it's not hard to implement, it is sometimes hard to get the picture of what's going on.
So, to answer your questions:
It looks hard to implement, because you need to understand the flow.
If you call (1) a problem, then it's what libraries attempt to deal with by putting most of the implementation details together.
Michael Krelin - hacker
2010-04-27 14:00:06
why do u say there's more than one request involved,isn't one enough?
2010-04-27 14:30:56
No, what would be the one request?
Michael Krelin - hacker
2010-04-27 14:37:56
Oops, I thought it was username and password, but no,it's to be authenticated on OP. But still one request is enough, specify a returning url for OP is enough, just like how paypal checkout is implemented, right?
2010-04-27 14:42:49
No, paypal returning url gives no guarantee unless you make further inquiries with paypal afterwards. So you need to take measures to verify the assertion, make it non-replayable, etc.
Michael Krelin - hacker
2010-04-27 14:46:20
Right, so totally 2 requests are necessary,right?
2010-04-27 15:03:43
Lemme see. 1. submitting, 2. OpenID discovery - one or two requests, 3-4. establishing association with OP, 1. reply with redirection to OP, request to OP, authentication there (if any), 4-5. redirection back to RP with assertion, possibly 6. -- verification of the assertion. Just a quickie, I might have missed something.
Michael Krelin - hacker
2010-04-27 16:00:09
Yeah, I surely missed verification of whether OP has an authority to assert the returned identifier if not the same as claimed id.
Michael Krelin - hacker
2010-04-27 16:01:27
Oh is there anyone else that understood the jargons? Why are there more steps than paypal checkout?
2010-04-27 16:05:33
Well, I'm not quite familiar with paypal checkout flow, but I'd guess that due to the centralized nature of paypal checkout half of these requests are done at the signup time and half of the rest is still done if you want to make sure landing to the return url is legitimate.
Michael Krelin - hacker
2010-04-27 16:23:59
Is there an image to illustrate how/where each step you mentioned happens?
2010-04-27 16:31:58
Try googling for 'openid flow diagram', it gives a lot of images, I haven't checked them, but I'm sure some are good.
Michael Krelin - hacker
2010-04-27 17:10:38
This one is fairly complete: http://www.theserverside.com/news/1364125/Using-OpenID
keturn
2010-05-02 19:24:14
It illustrates the flow well, but when it comes to *requests* the canonicalization/discovery, aren't shown as such. But, heck, one has to read specs if he wants to know about all requests.
Michael Krelin - hacker
2010-05-02 20:24:07