forked from gugu/net-openid-consumer
-
Notifications
You must be signed in to change notification settings - Fork 1
/
ChangeLog
205 lines (138 loc) · 6.47 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
1.03:
* Enforce the rules from the Auth 2.0 spec about which fields
MUST be signed in positive assertion messages.
* Return a more sensible error (no_head_tag) if the identifier
URL returns an empty (0-byte) HTML document.
* Verify delegate on the non-fragment version of the resulting
identifier, so that you can delegate to providers that add
fragments to their identifiers.
Found and fixed by avarix <[email protected]>.
1.02:
* Declare dependency on XML::Simple
1.01:
* Make the verified_identity bit accept assertions from any
declared endpoint, rather than only the primary one.
This implementation kinda sucks because it hits the identity
URL over and over doing discovery.
* Refactor the discovery code a little so that the whole list
of valid endpoints can optionally be returned. This is in
preparation for fixing the assertion verification code
so that providers other than the primary one are able to
make assertions.
* Support indirect messages encapsualated in POST requests
when args are given as a CGI, Apache, or Apache::Request
object.
* Support the 1.1 and 1.0 namespace values required by
Auth 2.0 section 4.1.2.
* Deal with cases where Net::OpenID::Yadis returns arrayref
or hashref for Service->URI, including a basic support for
the priority attribute. Based on a patch from
Fumiaki Yoshimatsu <[email protected]>.
* when dealing with a 2.0 server, send 2.0-shaped association
requests.
* add the set_extension_args method to ClaimedIdentity and the
extension_fields and signed_extension_fields methods to
VerifiedIdentity, which together form a higher-level API
for using protocol extensions such as SREG and PAPE.
* add support for OpenID 2.0-style messages from providers
* use our own simplified fork of Net::Yadis::Discovery to avoid
dependency on Module::Pluggable::Fast. Or on Net::Yadis::Discovery,
for that matter.
* add hooks for openid-test project. (bradfitz)
* add OpenID 2.0-compliant discovery and authentication request.
* add method on claimed identity object to get delgated URL
0.14: (2007-08-03)
* allow CGI subclasses (like CGI::Fast) for args. bug fix
from Chris Kastorff <[email protected]>.
0.13:
* work-around bug in some openid servers that don't escape "+".
so treat a space as a +. (from Thomas Sibley
* go into dumb mode earlier if it's detected that our cache object
isn't working
* give callers access to the signed_fields from the verified
identity object
0.12:
* required_root in constructor/method/validated_identity
* allow https identities
* version 1.1 of the protocol
* expand entities in link rel
* reject cached association validation if expiry is in past
0.11:
* document common error codes from claimed_identity, and
cleanup some error handling/codes
* support openid.mode=cancel
* respect replace_after and expiry. do clock compensation
between local clock and server.
* invalidate_handle support
0.10:
* handle openid.delegate properly (was losing state because I'd
put a URL parameter onto the wrong URL)
* copy all signed parameters into POST args in dumb mode,
not a static set (to be future-proof)
0.09:
* switch to DH/HMAC protocol, not DSA protocol
0.08:
* more openssl-binary temp file changes. on second failure (which
was previously missing a new method), it also propogates up the
error message now, instead of dying, to be more consistent with
the other DSA checkers, which never die
0.07:
* bugfix: use URI::Fetch 0.02, not "0.02" in quotes
* bugfix: don't set cache if no cache
0.06:
* wrap Crypt::OpenSSL::DSA verify in eval {} as it can croak
* use URI::Fetch, which does caching and proper HTTP behavior
* let user get/set cache, which is then propogated down to URI::Fetch
* optionally use new pure-perl version of Crypt::DSA which now
does ASN.1 serialization/deserialization in both signatures and
public keys. brings total options of DSA verify techniques up
to 3.
* tmpdir option (and smart auto-configuration) for people using
OpenSSL binaries to verify signatures.
* security fix when doing DSA checks with system openssl binary
(was previously parsing the wrong status)
* misc reported bugfixes
0.05:
* stupid push_url_arg bugfix
* doc fix in example code (no post_grant in check_url)
0.04:
* tons more docs: in both ClaimedIdentity and VerifiedIdentity
* Consumer now observes atom/rss/foaf/foafmaker at the same time
as openid.server, and passes it along to VerifiedIdentity,
where it's accessible, and VerifiedIdentity knows whether or
not those urls are under the trusted one or not, and makes them
differently available to callers
* bug fixes, doc fixes
* post_grant moved to user_setup_url, not check_url
* delayed_return added to check_url
0.03:
* setting args in constructor was broken
* renamed get_claimed_identity to just claimed_identity to be
consistent
* all methods now croak if called with too many arguments
* added ClaimedIdentity->identity_server to get just one,
as selected by plugin, instead of array of them all
0.02:
* POD docs for Net/OpenID/Consumer.pm
* accepts CGI, Apache, Apache::Request, and CODE arguments now for
GET argument retrievers, in addition to just HASH references
* openid.server auto-discovery only happens within first <head> tag
* if using Crypt::OpenSSL::DSA, now requires 0.12 due to bugs found
in 0.11.
* DSA verification using OpenSSL binary no longer spews "Verification OK"
to stdout
0.01:
* fetching of page (with configurable user agent object; I
recommend you use LWPx::ParanoidAgent, now available on CPAN)
and returning a "ClaimedIdentity" object of what the user claims
they are, but is not verified yet
* auto-discovery of openid servers
* hook to let you provide your subref to do openid server
selection, given multiple options
* generation of "check" URL to send user to to get redirect
* reading of response parameters, returning either a
user_setup_url or a VerifiedIdentity object (doing DSA
validation with either Crypt::OpenSSL::DSA or your openssl
binary)
* start of JSON responses for javascript UI