| Subject: | Need to be able to set trust_root (and hence openid.realm) |
Some OpenID providers (eg Google) create a new identifier for each site
that you attempt to log into. This is done by hashing the openid.realm
parameter in the request. See
http://code.google.com/apis/accounts/docs/OpenID.html#Parameters for
details.
Currently the 'trust_root' argument to Net::OpenID::* is created using
current url path. This means that users logging in via google get the
path to the login page hashed into their identity and so the url to the
login page can never change.
The attached diff adds a 'trust_root_path' parameter to the config so
that the user can specify '/' and make any path on the server acceptable
for a login page. If the argument is not given then the current
behaviour is used. It is not possible to default to '/' as it would
break existing installations.
More details here:
http://groups.google.com/group/google-federated-login-api/web/the-most-important-technical-issue-in-using-the-google-accounts-api?pli=1
| Subject: | openid.diff |
diff --git a/lib/Catalyst/Authentication/Credential/OpenID.pm b/lib/Catalyst/Authentication/Credential/OpenID.pm
index de9a9f3..9f28482 100644
--- a/lib/Catalyst/Authentication/Credential/OpenID.pm
+++ b/lib/Catalyst/Authentication/Credential/OpenID.pm
@@ -80,6 +80,11 @@ sub authenticate : method {
{
my $current = $c->uri_for($c->req->uri->path); # clear query/fragment...
+ my $trust_root =
+ $self->_config->{trust_root_path}
+ ? $c->uri_for( $self->_config->{trust_root_path})
+ : $current;
+
my $identity = $csr->claimed_identity($claimed_uri);
unless ( $identity )
{
@@ -99,7 +104,7 @@ sub authenticate : method {
my $check_url = $identity->check_url(
return_to => $current . '?openid-check=1',
- trust_root => $current,
+ trust_root => $trust_root,
delayed_return => 1,
);
$c->res->redirect($check_url);