Login/Register
Authentication using any OpenID with Tipfy
Asked Answered
Solved pythongoogle-app-engineopenidtipfy
H

2

9

I am developing the authentication part of my app and I've run into issues with coding authentication using OpenID.

I've looked at the Tipfy example code, but it seems written under the assumption that the OpenID provider is hard-coded to google.

I would like the user to be able to provide any OpenID they desire (isn't that the point?).

Does anyone have any example code that shows a user logging in using a user-supplied OpenID?

Hershel answered 31/1, 2011 at 13:43 Comment(2)
What example code are you looking at?Bogtrotter
@Gareth: tipfy.org/wiki/extensions/auth/openidHershel
P
6

Does Tipfy allow any OpenID authentication?

If you want to authenticate any OpenID Url with Tipfy, you can't do it out of the box.
One main reason is because Tipfy does not have any discovery mechanism to retrieve the OpenID Endpoint from a given OpenID user url.

What Tipfy is missing?

Tipfy does not allow the point b. of the following workflow :
a. user submits foo.blogspot.com
b. the framework retrieves foo.blogspot.com getting the OpenId endpoint from the html page:

<link rel="openid.server" href="http://www.blogger.com/openid-server.g" />

c. the framework redirects the user to the remote login page.

What Tipfy really offers?

The Tipfy openid extension* simply offers the OpenIdMixin that is just a base class useful for building OpenID support to a specific platform (Google for example).
Indeed, GoogleMixin class extends OpenIdMixin:

class GoogleMixin(OpenIdMixin, OAuthMixin):
    """A :class:`tipfy.RequestHandler` mixin that implements Google OpenId /
    OAuth authentication.

and it has the Google OpenID endpoint hard-corded:

_OPENID_ENDPOINT = 'https://www.google.com/accounts/o8/ud'

The name OpenIdMixin is a little bit misleading near other classes names like GoogleMixin, FriendFeedMixin, FaceBookMixin etc. etc; the docstring should be more clear to specify that the class should just be extended as a base class and not used directly.

What do you need to support any OpenID url in your application using Tipfy?

You should use the same consumer userland library that Google App Engine has adopted to offer OpenID support; here the source code and here a live example.

In the specific, have a closer look to openid.consumer.consumer.py file and how the XRDS/OpenID discovery happens; I think that with some work, you should be able to integrate this part into Tipfy OpenIdMixin.

* the OpenID code is ported from tornado.auth

Plumber answered 31/1, 2011 at 14:10 Comment(0)
H
2

That code is just an example. You just need to allow the user to specify their OpenID provider's endpoint URL via a form, and get the value from the POST. It's just a string.

Helyn answered 31/1, 2011 at 14:28 Comment(7)
I've tried this, but I think the endpoint (or whatever) needs to get resolved/discovered from it somehow. https://www.google.com/accounts/o8/id -> https://www.google.com/accounts/o8/udHershel
That's a typo, I think. Should be id.Helyn
No, it's not a typo, for Yahoo it would be https://me.yahoo.com/ -> https://open.login.yahooapis.com/openid/op/authHershel
Running the code as written works fine (ud), but 'fixing' it will cause it to no longer work.Hershel
@Nick Jonson: Because it isn't a correct answer, this is the first thing I tried, it did not work.Hershel
@Noah Then it would be helpful if you'd illustrate why it doesn't work. App Engine in general supports any OpenID endpoint.Zantos
@Nick Johnson: The issue isn't with GAE's OpenID, but with Tipfy's. For example, using http://me.yahoo.com/ results in the user being redirect to the URL contained in this pastebin: pastebin.com/Uar1yykN . Using different OpenID providers results in the same problem.Hershel

© 2022 - 2024 — McMap. All rights reserved.