Class OpenID::Server::CheckIDRequest
In: lib/openid/server.rb
Parent: OpenIDRequest

A request to confirm the identity of a user.

This class handles requests for openid modes checkid_immediate and checkid_setup .



assoc_handle  [RW]  Provided in smart mode requests, a handle for a previously established association. nil for dumb mode requests.
claimed_id  [RW]  The claimed identifier. Not present in OpenID 1.x messages.
identity  [RW]  The OP-local identifier being checked.
immediate  [RW]  Is this an immediate-mode request?
mode  [RW] 
mode:checkid_immediate or checkid_setup
op_endpoint  [RW] 
return_to  [RW]  The URL to send the user agent back to to reply to this request.
trust_root  [RW]  This URL identifies the party making the request, and the user will use that to make her decision about what answer she trusts them to have. Referred to as "realm" in OpenID 2.0.

Public Class methods

Construct me from an OpenID message.

message:An OpenID checkid_* request Message
op_endpoint:The endpoint URL of the server that this message was sent to.


ProtocolError:When not all required parameters are present in the message.
MalformedReturnURL:When the return_to URL is not a URL.
UntrustedReturnURL:When the return_to URL is outside the trust_root.

These parameters are assigned directly as attributes, see the CheckIDRequest class documentation for their descriptions.

Raises MalformedReturnURL when the return_to URL is not a URL.

Public Instance methods

Respond to this request.

allow:Allow this user to claim this identity, and allow the consumer to have this information?
server_url:DEPRECATED. Passing op_endpoint to the Server constructor makes this optional.

When an OpenID 1.x immediate mode request does not succeed, it gets back a URL where the request may be carried out in a not-so-immediate fashion. Pass my URL in here (the fully qualified address of this server‘s endpoint, i.e., and I will use it as a base for the URL for a new request.

Optional for requests where CheckIDRequest.immediate is false or allow is true.

identity:The OP-local identifier to answer with. Only for use when the relying party requested identifier selection.
claimed_id:The claimed identifier to answer with, for use with identifier selection in the case where the claimed identifier and the OP-local identifier differ, i.e. when the claimed_id uses delegation.

If identity is provided but this is not, claimed_id will default to the value of identity. When answering requests that did not ask for identifier selection, the response claimed_id will default to that of the request.

This parameter is new in OpenID 2.0.

Returns an OpenIDResponse object containing a OpenID id_res message.

Raises NoReturnToError if the return_to is missing.

Version 2.0 deprecates server_url and adds claimed_id.

Is the identifier to be selected by the IDP?

Does the relying party publish the return_to URL for this response under the realm? It is up to the provider to set a policy for what kinds of realms should be allowed. This return_to URL verification reduces vulnerability to data-theft attacks based on open proxies, corss-site-scripting, or open redirectors.

This check should only be performed after making sure that the return_to URL matches the realm.

Raises DiscoveryFailure if the realm URL does not support Yadis discovery (and so does not support the verification process).

Returns true if the realm publishes a document with the return_to URL listed

Is my return_to under my trust_root?