OpenID security in a REST API

Andy Balaam
artificialworlds.net/blog

Contents

Recap

What is OpenID?

Steps to log in (first time)

Steps to log in (next time)

WhoAmI

$ curl http://localhost:8080/\
    api/v1/whoami
{"anonymous": ""}

$ curl http://localhost:8080/\
    api/v1/whoami \
    -u user1:pass1
{"userid": "user1"}

We need a browser

User experience

User experience

User experience

User experience

User experience

Implementation

urls = (
    "/openid",
        "web.webopenid.host",

    "/api/v1/loginoid",
        "poemtube.api.v1.LogInOid",
# ...
)

Implementation

w = webopenid

class LogInOid( object ):
    def GET( self ):
        if w.status():
            return "Logged in."

        web.header( #...
        return w.form('/openid')

Implementation

def authenticate_user( db ):
    oid = webopenid.status()
    if oid:
        return oid
    # ...

What's going on?

More info

Videos youtube.com/user/ajbalaam
Twitter @andybalaam
Blog artificialworlds.net/blog
Projects artificialworlds.net