I'm working on an OpenID PAS Authentication plugin for zope. For
those of you who are not familiar with OpenID, it is a decentralized
URL-based identity system originally developed by livejournal.com.
For more info have a look at openid.net.
OpenID authentication is performed under the user's supervision. A
typical login session, and from a user's perspective looks something
Scenario: Trying to log in to example.com with server.com as my openid server
1) User visits example.com(running Zope) and enters her OpenID URL
into the login form.
2) example.com must verify that the User is actually who they say they
are, and does so by contacting the openid server for the URL. This is
done by sending an HTTP redirect through the user's browser to
server.com with some info attached to the url.
3) Server.com asks the user if they trust example.com with their
identity, and if so, then sends a redirect back to the example.com
with some more info emebeded in the URL for verification.
4) User is loggen into example.com with their OpenID.
Leaving out all the details of OpenID, my plugin needs to at least be
able to send a redirect to server.com (Step 2) before the
authenticateCredentials step(Step 3).
Where, and through what mechanism is the right place to put this
processing and redirect? At first glance, it looks like I should be
sending the redirect(Step 2) after a custom extractCredentials, but
i'm not sure exactlty how to do this. Does this sound correct? I
could use a nudge in the right direction here.
I've been using the GMailAuthPlugin as inspiration for my plugin.
Zope-PAS mailing list