[AWS] Possible OpenID API for AWS?

Jacob Sparre Andersen sparre at nbi.dk
Wed Aug 8 09:06:24 CEST 2012

Previous message: [AWS] Possible OpenID API for AWS?
Next message: [AWS] Possible OpenID API for AWS?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pascal Obry wrote:

> Can you explain more how OpenID works? This is not clear 
> to me, so I can't comment further.

OpenID is a distributed/centralised (depending on your point 
of view) authentication protocol.

There are three parties to an OpenID authentication:

  1) The user wanting to be authenticated.
  2) A web service wanting to authenticate a user.
  3) An OpenID provider.

  + The user initiates an authentication transaction by
    giving the web service an URL to the OpenID provider.

Assuming that the generic package is instantiated as OpenID 
and that the URL identifying the OpenID provider is stored 
in the string OpenID_Provider_URL, this means visiting the 
URL "https://" & Host_Name & OpenID.Log_In.URI & "?" & 
OpenID.Provider_Parameter_Name & "=" & OpenID_Provider_URL.

  + Using this information the web service talks to the
    OpenID provider, and then redirects the user to a log-in
    page hosted by the OpenID provider.

The function OpenID.Log_In.Service takes care of extracting 
the OpenID_Provider_URL from a request, looking up the 
details of authenticating with that OpenID provider, and 
finally returns a redirection.

  + On the log-in page hosted by the OpenID provider the user
    is authenticated (typically using a user-name and a
    password) and then redirected back to the web service
    (with a signed authentication token included in the
    request).

  + Finally the web service checks that the signed
    authentication token matches what it previously has
    received from the OpenID provider.

The function OpenID.Validate.Service takes care of this. 
If the user is authenticated, a cookie with the name 
Token_Cookie_Name is set before the user is redirected to 
Logged_In_URI.

The functions OpenID.Is_Authenticated and 
OpenID.Authenticated_As allows the web service to look up 
authentication cookies to see if they are valid and which 
OpenID identity they belong to.

>> Does this package specification make sense?
>
> I think it needs far more comment to understand how it is 
> supposed to work and to be used. Then I'll be able to 
> comment.

I will write some of proper documentation for the package 
before submitting it.

>
>> -------------------------------------------------------------------------------
>>
>> generic
>>    Host_Name         : String;
>>    Logged_In_URI     : String := "/logged_in";
>
> ok...
>
>>    Token_Lifetime    : Duration := 3600.0;
>> package AWS.OpenID.Manual_Dispatching is
>>    Provider_Parameter_Name : constant String := "openid";
>>    Token_Cookie_Name       : constant String := "token";
>>
>>    package Log_In is
>>       URI : constant String := "/login";
>
> But what URI here, isn't this supposed to be Logged_In_URI?

No.  Logged_In_URI is the one you are redirected to once the 
authentication process is finished.  Log_In.URI is the one 
you go to to initiate the authentication process.

>> I've also considered building an "Automatic_Dispatching" version using
>> package AWS.Services.Dispatchers.URI:

>> package AWS.OpenID.Automatic_Dispatching is

> This package should probably moved here: AWS.Services.Dispatches.OpenID.

That sounds sensible.

Jacob
-- 
"I wondered why the baseball kept getting bigger. Then it hit me."

Previous message: [AWS] Possible OpenID API for AWS?
Next message: [AWS] Possible OpenID API for AWS?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the AWS mailing list