[AWS] Possible OpenID API for AWS?
Jacob Sparre Andersen
sparre at nbi.dk
Wed Aug 8 09:06:24 CEST 2012
Pascal Obry wrote:
> Can you explain more how OpenID works? This is not clear
> to me, so I can't comment further.
OpenID is a distributed/centralised (depending on your point
of view) authentication protocol.
There are three parties to an OpenID authentication:
1) The user wanting to be authenticated.
2) A web service wanting to authenticate a user.
3) An OpenID provider.
+ The user initiates an authentication transaction by
giving the web service an URL to the OpenID provider.
Assuming that the generic package is instantiated as OpenID
and that the URL identifying the OpenID provider is stored
in the string OpenID_Provider_URL, this means visiting the
URL "https://" & Host_Name & OpenID.Log_In.URI & "?" &
OpenID.Provider_Parameter_Name & "=" & OpenID_Provider_URL.
+ Using this information the web service talks to the
OpenID provider, and then redirects the user to a log-in
page hosted by the OpenID provider.
The function OpenID.Log_In.Service takes care of extracting
the OpenID_Provider_URL from a request, looking up the
details of authenticating with that OpenID provider, and
finally returns a redirection.
+ On the log-in page hosted by the OpenID provider the user
is authenticated (typically using a user-name and a
password) and then redirected back to the web service
(with a signed authentication token included in the
request).
+ Finally the web service checks that the signed
authentication token matches what it previously has
received from the OpenID provider.
The function OpenID.Validate.Service takes care of this.
If the user is authenticated, a cookie with the name
Token_Cookie_Name is set before the user is redirected to
Logged_In_URI.
The functions OpenID.Is_Authenticated and
OpenID.Authenticated_As allows the web service to look up
authentication cookies to see if they are valid and which
OpenID identity they belong to.
>> Does this package specification make sense?
>
> I think it needs far more comment to understand how it is
> supposed to work and to be used. Then I'll be able to
> comment.
I will write some of proper documentation for the package
before submitting it.
>
>> -------------------------------------------------------------------------------
>>
>> generic
>> Host_Name : String;
>> Logged_In_URI : String := "/logged_in";
>
> ok...
>
>> Token_Lifetime : Duration := 3600.0;
>> package AWS.OpenID.Manual_Dispatching is
>> Provider_Parameter_Name : constant String := "openid";
>> Token_Cookie_Name : constant String := "token";
>>
>> package Log_In is
>> URI : constant String := "/login";
>
> But what URI here, isn't this supposed to be Logged_In_URI?
No. Logged_In_URI is the one you are redirected to once the
authentication process is finished. Log_In.URI is the one
you go to to initiate the authentication process.
>> I've also considered building an "Automatic_Dispatching" version using
>> package AWS.Services.Dispatchers.URI:
>> package AWS.OpenID.Automatic_Dispatching is
> This package should probably moved here: AWS.Services.Dispatches.OpenID.
That sounds sensible.
Jacob
--
"I wondered why the baseball kept getting bigger. Then it hit me."
More information about the AWS
mailing list