<?xml version="1.0" encoding="iso-8859-1"?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"><head>

  <title>OpenID Modules for Initiation, Login and Redirection</title>

  <link href="styles.css" rel="stylesheet" type="text/css" /></head>

<body>

<h1>OpenID Modules for Initiation, Login and Redirection</h1>

<p>A number of modules are provided to support the

<a href="http://openid.net/">OpenID</a> identity standards, and these serve

the following purposes:</p>

<dl>

<dt><code>OpenIDInitiation</code></dt>

<dd>Requests and handles the identity of the user, redirecting them to their

OpenID (identity) provider.</dd>

<dt><code>OpenIDLogin</code></dt>

<dd>Provides basic OpenID provider functionality, allowing users to

authenticate themselves and to be redirected back to the application which

demanded their authentication.</dd>

<dt><code>OpenIDRedirect</code></dt>

<dd>Provides checking of user identity with redirection to the initiation page

for unauthenticated users.</dd>

</dl>

<p>A combination of the functionality in <code>OpenIDInitiation</code> and

<code>OpenIDRedirect</code> should be sufficient for applications to accept

visitors with OpenID identities. With all of the above modules in use, an

application could be self-sufficient in a similar way to that enjoyed through

the use of the normal <a href="login-redirect.html">LoginRedirect and Login

Modules</a>.</p>

<h2>How the Modules Work</h2>

<p>Similar in many ways to the functioning of the <a

href="login-redirect.html">LoginRedirect and Login Modules</a>, when a request

arrives in the application, the following things happen:</p>

<ol>

  <li>The <code>OpenIDRedirectResource</code> examines the transaction

and attempts to find out whether it identifies a user.</li>

  <li>Should sufficient information be present in the transaction, the

user is allowed to access the application and is identified in the

normal way (ie. the <code>get_user</code> method on the transaction

object).</li>

  <li>Otherwise, a redirect occurs to an initiation screen provided by an

<code>OpenIDInitiationResource</code> which requests the users's OpenID

identifier.</li>

  <li>The <code>OpenIDInitiationResource</code> object receives any identity

information and causes a redirect to the user's OpenID provider.</li>

  <li>Where the OpenID provider is hosted by the application infrastructure,

the user is actually redirected to a login screen provided by an

<code>OpenIDLoginResource</code> object which then presents a login form to be

completed by the user (similar to that provided by the

<code>LoginResource</code> class).</li>

  <li>The <code>OpenIDLoginResource</code> object then receives the

completed form information and verifies the identity of the user,

testing the supplied credentials against the credentials database

specified in the deployment of the resource.</li>

  <li>Upon successful authentication, the user is redirected back to

the application, guarded by <code>OpenIDRedirectResource</code> which

should let the user gain access.</li>

</ol>

<h2>Introducing OpenIDRedirectResource</h2>

<p>Like <code>LoginRedirectResource</code>, introducing

<code>OpenIDRedirectResource</code> into an application can be done in the

adapter code, as described in <a href="writing-adapters.html">"Writing

Adapters"</a>. The most significant difference between deploying normal

resources and <code>LoginRedirectResource</code> objects is the special way in

which such objects are initialised and that they themselves contain the actual

resources of the application which provide the real functionality.</p>

<p>Here is what the deployment of <code>OpenIDRedirectResource</code>

objects often looks like:</p>

<pre>

from WebStack.Resources.OpenIDRedirect import OpenIDRedirectResource, OpenIDRedirectAuthenticator

deploy(

    OpenIDRedirectResource(

        login_url="http://localhost:8080/login",

        app_url="http://localhost:8080",

        resource=[some resource object which provides the real application behaviour],

        authenticator=OpenIDRedirectAuthenticator(

            secret_key="horses",

            app_url="http://localhost:8080"

            ),

        anonymous_parameter_name="anonymous",

        logout_parameter_name="logout"

        )

    )

</pre>

<p>Here, the <code>OpenIDRedirectResource</code> uses the same terminology as

the <code>LoginRedirectResource</code> and employs a <code>login_url</code>,

but this actually refers to the URL where the initiation page will be

displayed. In a sense, it is a kind of login page, but where the actual

authentication will take place elsewhere.</p>

<div class="WebStack">

<h3>WebStack API - OpenIDRedirectResource Initialisation</h3>

<p>The following parameters must be provided when initialising a

<code>OpenIDRedirectResource</code> object:</p>

<dl>

  <dt><code>login_url</code></dt>

  <dd>This specifies the location of the initiation resource which requests

identity details from unidentified users.</dd>

  <dt><code>app_url</code></dt>

  <dd>This specifies the location of the application itself - it must

therefore be updated according to where the application is eventually

deployed. This should be the "bare" reference using a protocol, host and port,

not including any path information.</dd>

  <dt><code>resource</code></dt>

  <dd>This provides the resource object which contains the application

code, or at least the entry point into various parts of the application

code.</dd>

  <dt><code>authenticator</code></dt>

  <dd>This provides the authenticator object which decides whether a

user is recognised or not. The special <code>OpenIDRedirectAuthenticator</code>

is recommended and must itself be configured using a <code>secret_key</code>

parameter which is used to protect user-related information exchanged

over the network - the value provided for <code>secret_key</code> must

be unguessable and kept secret from unauthorised individuals. The

<code>app_url</code> used to initialise the authenticator must be the same as

the one provided to the <code>OpenIDRedirectResource</code>.</dd>

</dl>

<p>The following parameters are optional:</p>

<dl>

  <dt><code>anonymous_parameter_name</code></dt>

  <dd>An optional parameter providing the name of a request parameter

(see <a href="parameters.html">"Request Parameters and Uploads"</a>)

which, if specified, permits a user to access an application without

being formally identified. If omitted, all users will be required to

identify themselves explicitly.</dd>

  <dt><code>anonymous_username</code></dt>

  <dd>An optional parameter providing the name given to anonymous users

which is returned when a transaction's <code>get_user</code> method is

called. By default, <code>anonymous</code> is used for such users.</dd>

  <dt><code>logout_parameter_name</code></dt>

  <dd>An optional parameter providing the name of a request parameter

which, if specified, permits a user to log out of an application. If

omitted, no means of logging out will be available, although deleting

browser cookies will probably have the desired effect.</dd>

  <dt><code>logout_url</code></dt>

  <dd>An optional parameter which indicates the location of the

resource visited when a user logs out. By default, the location is a

path to the root resource in the server environment of the application.</dd>

  <dt><code>use_logout_redirect</code></dt>

  <dd>An optional parameter which determines whether users logging out

of an application will be redirected to the <code>logout_url</code> or

not. By default, users are redirected, but if a false value is given

for this parameter, a simple page is presented to the user informing

them of the situation - it is recommended that a subclass of <code>LoginRedirectResource</code>

be employed should more informative pages be required.</dd><dt><code>path_encoding</code></dt><dd>An

optional parameter indicating the character encoding used to generate

(and, in other places, to interpret) URL-encoded character values in

URLs and paths.</dd>

</dl>

<p>See the <a href="../apidocs/public/WebStack.Resources.LoginRedirect.LoginRedirectResource-class.html">API documentation</a> for the <code>LoginRedirectResource</code> class for more details.</p>

</div>

<h3>Further Notes</h3>

<p>See <a href="login-redirect.html">LoginRedirect and Login Modules</a> for

notes on redirection, application-wide authenticators, anonymous users and

logout functionality.</p>

<h2>Extending OpenIDRedirectResource</h2>

<p>See <a href="login-redirect.html">LoginRedirect and Login Modules</a> for

pertinent guidance on extending <code>LoginRedirectResource</code>, since such

guidance also applies to <code>OpenIDRedirectResource</code>.</p>

<h2>Deploying an OpenIDLogin Application</h2>

<p>In order to provide OpenID login support for a self-sufficient application,

a login application (or resource) must be available to authenticate unidentified

users. It may already be the case that such an application has been deployed

and is available at a certain URL - if so, it should be sufficient for a

<code>OpenIDRedirectResource</code> object to be configured as described above,

making sure that the <code>login_url</code> actually refers to the location of

the existing login application.</p>

<p>However, if no existing login application (or resource) exists, one may be

deployed using adapter code similar to the following:</p>

<pre>

from WebStack.Adapters.BaseHTTPRequestHandler import deploy

from WebStack.Resources.OpenIDLogin import OpenIDLoginResource, Authenticator

deploy(

    OpenIDLoginResource(                # This is the login application's main resource.

        app_url="http://localhost:8081" # This is the "bare server" URL.

        Authenticator(                  # This provides authentication support.

            credentials=(

                (("http://someserver/badger", "badger"), "abc"),

                (("http://someserver/vole", "vole"), "xyz"),

            )

        )

    ),

    address=("", 8081)

)

</pre>

<p>The above code merely starts a login application in the

BaseHTTPRequestHandler environment at a specific address (which corresponds to

that specified in the <code>login_url</code> of the

<code>OpenIDRedirectResource</code> used above) and provides an OpenID

<code>Authenticator</code> object configured to recognise a number of

different users. The user credentials define OpenID identities and

corresponding usernames for this login application, together with

passwords.</p>

<div class="WebStack">

<h3>WebStack API - OpenIDLogin.Authenticator Credentials</h3>

<p>When initialising an <code>Authenticator</code> object with credentials,

the supplied credentials object must support tests on its contents of the

following form:</p>

<pre>((openid_identity, username), password) in credentials</pre>

<p>In other words, the credentials object must either be a sequence of tuples

each containing a (openid_identity, username) tuple as its first element and a

password as its second element, or it must implement the

<code>__contains__</code> method and accept such tuples as arguments to that

method.</p> </div>

</body>

</html>