Tuesday, July 15, 2008

Let the rest discover your OpenID relying party

Let me first explain what OpenID Relying Party [RP] discovery is and what it is for.

This is a new feature introduced in OpenID Authentication 2.0.

With, RP discovery, you let software agents/OpenID Providers discover your site as an OpenID relying party.

OpenID providers use this feature to automatically verify that a return_to URL in an OpenID request is an OpenID relying party endpoint for the specified realm.

Have you ever seen this warning by Yahoo! - when you trying to use a Yahoo OpenID?

"Warning: This website does not meet Yahoo!'s requirements for website address. Do not share any personal information with this website unless you are certain that it is legitimate. "

This happens because, the relying party web site fails to meet OpenID RP discovery requirements.

Usually, as per the spec RP has to present an XRDS document in the following format, where the OpenID Provider can discover.

<Service xmlns="xri://$xrd*($v*2.0)">
    <Type>http://specs.openid.net/auth/2.0/return_to</Type>
    <URI>https://is.test.wso2.org/javarp/openidloggedin.jsp</URI>
</Service>
When it comes to Yahoo OpenID Provider, it tries to find this XRDS document at the return_to url [return_to url is included in the OpenID authentication request it self].

So, make sure you have RP discovery information available at your return_to url.

This is how you do it.

Say for example, if your return_to url is https://is.test.wso2.org/javarp/openidloggedin.jsp, when you set it in the OpenID authentication request, you need to set it as below, with an added parameter.

https://is.test.wso2.org/javarp/openidloggedin.jsp?login=true

Also, you need to set your realm as https://is.test.wso2.org/javarp/openidloggedin.jsp.

If you are using WSO2 OpenID Relying Party components, this is how you set your return_to url and the realm in the authentication request.

[This article explains how to add OpenID support to your RP web site with WSO2 OpenID RP components, please refer the section "Adding OpenID Support with Simple Registration"]

openIDAuthRequest.setRealm("https://is.test.wso2.org/javarp/openidloggedin.jsp");
openIDAuthRequest.setReturnUrl("https://is.test.wso2.org/javarp/openidloggedin.jsp?login=true");


Now, you can differenciate a 'login' request from a 'RP discovery' request.

Your openidloggedin.jsp page will have the logic to present the XRDS document for RP discovery, based on the request.

<%@page import="java.io.PrintWriter"%>

<%

String login= (String) request.getParameter("login");

if (login==null)
{
String xrd = null;
response.setContentType("application/xrds+xml");

xrd = "<xrds:XRDS xmlns:xrds=\"xri://$xrds\" xmlns:openid=\"http://openid.net/xmlns/1.0\" xmlns=\"xri://$xrd*($v*2.0)\">\n" +
   "<XRD>\n"+
   "<Service xmlns=\"xri://$xrd*($v*2.0)\">\n"+
   "<Type>http://specs.openid.net/auth/2.0/return_to</Type>\n"+
   "<URI>https://is.test.wso2.org/javarp/openidloggedin.jsp</URI>\n"+
   "</Service>\n"+
   "</XRD>\n"+
   "</xrds:XRDS>";

PrintWriter writer = response.getWriter();
writer.write(xrd);
}
else {
//User logs in... add your logic appropriately
}

%>
To see a demonstration of how this works, go to https://is.test.wso2.org/javarp/, and type your Yahoo OpenID at "OpenID Simple Registration Demo".

0 comments: