[Catalyst] Re: New credential -- Catalyst::Authentication::Credential::OpenID

[Ashley]

On Apr 7, 2008, at 5:22 PM, Aristotle Pagaltzis wrote:
> Hi Ashley,
>
> * Ashley <apv at sedition.com> [2008-04-07 20:10]:
>> http://search.cpan.org/dist/Catalyst-Authentication-Credential- 
>> OpenID/
>
> is there any way to tell which OpenID provider was used for a
> particular credential? F.ex. a company might use OpenID as its
> SSO mechanism, by setting up an OpenID provider for employees, in
> which case an internal app might want to grant extra trust to
> OpenIDs from that provider (or reject IDs from other providers
> altogether).
>
> OK, in this particular example you could get away with accepting
> only OpenIDs of a particular form. But delegation is an integral
> part of OpenID and in other similar scenarios on the open web it
> would be interesting to know the provider, not just the identity.
>
> A quick skim of Net::OpenID::Consumer does not reveal a way to
> get at this, however… is there?

That is intriguing. I see Tatsuhiko already mentioned the
identity_server() method in Net::OpenID::ClaimedIdentity.

Another thing that could be caught is the spec level of the
authentication. Unsure where (or if it's already there) but
should be doable.

The OpenID store I am planning to write could catch/contain
these things. How to tie it in to increased/reduced trust
then? Just in the app? Inline in the realm with "roles" for
providers? Perhaps-

   $c->assert_roles("https://trusted-provider.org")

Then things like a tree...
    if $c->check_roles("https://supertrust.net")
     # you get everything
  elsif $c->check_roles("http://okiedokey.com")
     # you're pretty cool
  elsif $c->user_exists and $c->user->"generic_OpenID"
     # you're allowed to vote and all but not XYZ
   else
     $c->res->body("Oh, hai. I can haz sign-in?")

Very cool idea.

-Ashley