Recap

• A YouTube for poetry, API first
• We can list, search for, retrieve and modify poems
• Log in using HTTP Basic Authentication
• Stay logged in via a token in a cookie

What is OpenID?

• Let someone else do authentication for you
• Avoid having to hold user credentials
• Avoid having to create and check tokens
• User doesn't have to remember another password

Steps to log in (first time)

• App asks user for their OpenID (url)
• App asks OpenID provider whether you are ok
• Provider responds "no"
• App redirects to provider log in page
• User logs in
• Provider redirects back to app
• App asks OpenID provider whether you are ok
• Provider responds "yes"

Steps to log in (next time)

• App asks user for OpenID (url)
• App asks OpenID provider whether you are ok
• Provider responds "yes"

WhoAmI

$ curl http://localhost:8080/\
    api/v1/whoami
{"anonymous": ""}

$ curl http://localhost:8080/\
    api/v1/whoami \
    -u user1:pass1
{"userid": "user1"}

We need a browser

• The login process for the provider is undefined
• We must open a browser on their login page

User experience

User experience

User experience

User experience

User experience

Implementation

urls = (
    "/openid",
        "web.webopenid.host",

    "/api/v1/loginoid",
        "poemtube.api.v1.LogInOid",
# ...
)

Implementation

w = webopenid

class LogInOid( object ):
    def GET( self ):
        if w.status():
            return "Logged in."

        web.header( #...
        return w.form('/openid')

Implementation

def authenticate_user( db ):
    oid = webopenid.status()
    if oid:
        return oid
    # ...

What's going on?

More info