« RichFaces rich:edito... | Main | GoogleCode, SVN and... »

OpenID and the "retrun_url" parameter

Referring to my openID Project openid4java-jsr-196 today I have tested some login forms for openid. And after all I came to the conclusion that the OpenID Param 'return_to' should always have a fixed value pointing to a general root context url of a web application. In different to other login modules where the referring url is typical used to forward the user after a successful login in OpenID modules this seems not to be a good idea.  

The reason is that this parameter is  used by the OpenID Providers to grant the access and also often to allow the user to store this url into a page store to provide an automatically login. If the return url is not fixed and points dynamically to the requested secured page, this will block such features provided by the OpenID Provider.

For example, if a user tries to access two different sites from a web application secured with openID like:

  • http://localhost/myapp/protected/page-1
  • http://localhost/myapp/protected/page-2

and the login form forwards this variable url-information to the openid provider, the provider can potentially ask the user to grant two different application urls. This can only be avoided by the application if the OpenID Login form always delegate a fixed application-URL to the provider - independent from the origin page request.

So in most cases it is sufficient to place a hidden field into the openID login form:

 <form method="get" id="openid_login_form"
	action="#{facesContext.externalContext.requestContextPath}/openid_login">
      <h:inputText id="openid_identifier" tabindex="0" />
	<script>document.getElementById('openid_identifier').focus();</script>
     <input type="submit" value="#{global.login}" />
     <!-- Return URL --> 
    <h:inputHidden id="return_to" value="#{loginMB.serverURI}#{facesContext.externalContext.requestContextPath}/openid.jsf" />
 </form> 

 

Please note that I have started a project site to provide a platform for further discussion and development. You will also find souce code from the OpenID-JSR-196 Login Module and a wiki page on the project site:
http://code.google.com/p/openid4java-jsr196/
You are welcome to join this project.


 

Posted at 11:18PM Jan 22, 2011
Posted by: Ralph
Category: General

| Comments [0]

Comments:

Post a Comment:
  • HTML Syntax: Allowed