Reputation: 1430
AuthenticationRequestMode.Immediate and AuthenticationStatus.SetupRequired
I'm using DotNetOpenAuth to build a Relying Party. So far everything has gone fairly smooth, but I'm a bit stuck on one thing; I'm not quite sure how to handle the AuthenticationStatus.SetupRequired case after performing a check immediate from a stored claimed identifier.
I'm storing my visitors' claimed Identifiers in a cookie, and if they return to me unauthenticated, but with this cookie, I perform an immediate authentication request (because I think this is what I'm supposed to do) to check what the OP thinks of this identifier I've gotten from a visitor.
It seems that all that comes back in the return request is the State = SetupRequired...does this mean that the OP is saying "you're good to go...go ahead and do what you need to do to keep this claimed_identifier going"? Or am I supposed to do something else when this happens?
Furthermore, this seems to happen when I make an immediate request to Yahoo, but not when I make the same request to Google.
What gives?
Thanks, Andrew
Upvotes: 1
Views: 420
Answers (1)
Reputation: 81801
When you send an "immediate" request, you're asking the OP if it is willing and able to say that a given user is still logged into the OP. Not all OPs support this request. Those that do not support it, and those that do support it but cannot respond affirmatively (because the user is not logged in for example) return setup_required to the RP.
At the RP, getting SetupRequired as a response means "I'm not saying the user is logged in or not -- you have to try authenticating again with checkid_setup" (which means try again without using immediate mode.)
The key difference between immediate mode and "setup" mode is that in immediate mode the OP is not supposed to present any UI to the user at all -- the entire process is supposed to just look like a redirect to the user. In setup mode (i.e. regular mode) the OP is allowed to display a login UI and/or a "are you sure you want to log into [RP]?" prompt. If the OP needs to display this UI and cannot because it is immediate mode, then the only thing it can respond with is setup_required.
Upvotes: 3
Related Questions
- Bad request on ProcessUserAuthorization (DotNetOpenAuth 4.2.2.13055)
- DotNetOpenId — “This message has already been processed” Error (Part 2)
- DotNetOpenAuth oAuth2 Message already been processed
- DotNetOpenId -- "This message has already been processed" Error
- OpenAuth .Net Claims Request is always null
- DotNetOpenAuth RequestUserAuthorization callback
- DotNetOpenAuth.OpenId.RelyingParty.IAuthenticationRequest RedirectToProvider() ThreadAbortException
- DotNetOpenAuth and FormsAuthentication
- OpenID "Unsolicited assertions are not allowed from 1.0 OpenID Providers" error
- DotNetOpenAuth autopostback