OpenID Libraries should be stateless
Josh Hoyt
josh at janrain.com
Mon Feb 4 14:43:25 PST 2008
2008/2/4 Ryan Ernst <ryan at citewire.com>:
> This weekend I started implementing OpenID on my site using the
> python-openid library. In doing so I found that the library requires
> session state to be kept from consumer.begin() to consumer.complete(). Why
> does the library need this session information? And if the library does
> really need the information, it should be able to save it as a stateless
> string (not a python object which is bound to the server it was created on),
> which can be encrypted (does it need to be?) and appended as get parameters
> to the return_to uri.
>
> Is there any work being done for this? Would it be trivial or non-trivial?
It's possible to use the library in a completely stateless
configuration, but the user experience is worse: the discovery phase
has to happen twice instead of once, and there is an extra HTTP
request that is necessary to validate the response with the OpenID
provider, making authentication much slower.
You can get around the double-discovery in many cases by adding a
signed encoding of the discovered information to the return_to URL in
the request. Previous versions of these libraries included this trick,
but it's rare these days for dynamic application to not have a
session. You can implement it fairly simply, but we didn't want to
deal with maintaining two ways to do it when one serves most people.
If you look in the consumer module, you can see that there is a
high-level interface that takes care of the session-related stuff.
Just create another implementation of it that manages the discovered
data in another way.
If you don't mind the degradation of user experience, you can just
pass None as the store to the constructor of the Consumer object, and
everything will work (pokily.)
Hope that helps,
j3h
More information about the Dev
mailing list