xref: /dports/security/py-python-openid/python-openid-2.2.5/NEWS

What's New in Python OpenID 2.1.0
=================================

This implementation of OpenID has been upgraded to support version 2.0
of the OpenID Authentication specification.

New in this version is:

 * Verification of relying party return_to addresses, to screen out RPs
   hiding behind open redirect relays.  Server code can invoke this with
   the returnToVerified method on CheckIDRequest.

 * Helper module for the Provider Authentication Policy Extension (PAPE) in
   openid.extensions.pape.

 * Helper module for Attribute Exchange in openid.extensions.ax.

Bugfixes:

 * Allow the use of lxml as an ElementTree implemenation.

 * Provide compatability with a wider range of versions for SQL stores.


Upgrading from 2.0.1
--------------------

The third argument to Consumer.complete() is required.

The sreg module should be imported from openid.extensions.sreg instead of
openid.sreg.

The ax module should likewise be imported from openid.extensions.ax
instead of openid.ax

The openid.extensions.ax.FetchRequest.fromOpenIDRequest method now
takes a CheckIDRequest object instead of a Message object

The OpenID response (the result of Consumer.complete()) now has a
getDisplayIdentifier() method which should be called instead of
accessing response.identity_url.  The value of getDisplayIdentifier()
will be the XRI i-name if XRI is used.  The value of
response.identity_url SHOULD, however, be used as the application's
database key for storing account information.

What's New in Python OpenID 2.0
===============================

The big news here is compatibility with svn revision 313 of the OpenID 2.0
draft specification.

Highlights include:

 * Simple Registration support in a new module openid.sreg.  (Those
   previously using SuccessResponse.extensionResponse are advised to
   look here.)
 * OpenID provider-driven identifier selection.
 * "Negotiators" allow you to define which association types to use.
 * Examples for Django.

Dependencies
------------

Python 2.5 is now supported.  Support for Python 2.2 discontinued.
Seperate installation of yadis and urljr packages is no longer
required; they have been included in this package.


Upgrading from 1.1 or 1.2
-------------------------

One of the additions to the OpenID protocol was a specified nonce
format for one-way nonces.  As a result, the nonce table in the store
has changed.  You'll need to run contrib/upgrade-store-1.1-to-2.0 to
upgrade your store, or you'll encounter errors about the wrong number
of columns in the oid_nonces table.

If you've written your own custom store or code that interacts directly with it,
you'll need to review the change notes in openid.store.interface.

Consumers should now pass an additional parameter to Consumer.complete()
to defend against return_to tampering.


What's New in Python OpenID 1.1.2
=================================

i-name Support
--------------

This version of the library allows the use of XRI as OpenID identifiers,
allowing users to log in with their i-names.  For full XRI compatibility,
relying parties integrating this library should take note of the user's
CanonicalID, as described in the "Identifying the End User" section of the
OpenID 2.0 specification.

Bug Fixes
---------

A variety of bug fixes were included in this release, mostly relating to
international issues such as dealing with other character sets, Unicode,
incorrectly flagging certain Norwegian trust roots as suspect, and operation
of the filesystem-backed store on exotic platforms.

Dependencies
------------

 * urljr 1.0.1
 * yadis 1.1.0


What's New in Python OpenID 1.1.0
=================================

Version 1.1 of the Python OpenID library implements recent changes to
the OpenID specification as well as making API changes that should
make integration with applications easier.

Yadis Support
-------------

One of the major changes to OpenID since the last release has been the
approval of Yadis discovery as the preferred way to specify the OpenID
metadata for an identity URL instead of using <link> tags in
HTML. This library does Yadis discovery, and if that fails, it falls
back to old-style discovery.

Some advantages of Yadis support are:

 * Support for fallback if your primary OpenID provider is not available

 * Support for load-balancing between OpenID servers

 * Easy interoperability for different identity services

For more information about Yadis, see http://yadis.org/

Extension Support
-----------------

OpenID also has formalized support for extensions. Extensions are a
mechanism for transferring information from the consumer to the server
and from the server to the consumer in the process of performing
OpenID authentication. Extensions are implemented as additional
namespaced query arguments that go along with standard OpenID requests
and responses. This library provides a simple API for adding extension
arguments to requests and extracting extension responses from replies.

Dependencies
------------

These dependencies should be available from wherever you acquired the
OpenID library.

 * urljr - The fetcher abstraction from the previous OpenID library
   has been extended and is also used for the Yadis library. Because
   the Yadis library is useful without the OpenID library, the HTTP
   fetching code has been rolled into its own package. Additionally,
   the library now has the concept of a default fetcher to make APIs
   simpler.

 * yadis - The Yadis library provides a general discovery layer that
   has been adopted by OpenID as well as other identity-related
   protocols. Most OpenID identity URLs will work without the Yadis
   library, but as time goes on, this library will be more and more
   important.

Consumer API
------------

The consumer API has been changed for more natural use as well as to
support extension arguments.

 * OpenIDConsumer(store, [fetcher], [immediate]) is now
   Consumer(session, store)

  - The session object is a dictionary-like object that should be
    tied to the requesting HTTP agent, for example, using a session
    ID cookie. It is used for Yadis fallback and holding the state
    of the OpenID transaction between the redirect to the server
    and the response. The values that are placed in the session are
    namespaced, so there should not be a conflict with other uses
    of the same session. The session namespace is an attribute of
    the Consumer object.

  - Because the consumer object now does session management, it is
    necessary to construct a new consumer object for every
    request. Creating consumer objects is light-weight.

 * OpenIDConsumer.beginAuth(user_url) is now Consumer.begin(user_url)
   and either returns an AuthRequest object or raises an
   exception. There is no more tuple unpacking or status codes.

 * OpenIDConsumer.constructRedirect(authreq, return_to, trust_root) is
   now AuthRequest.redirectURL(trust_root, return_to, [immediate]).

 * OpenIDConsumer.completeAuth(token, query) is now
   Consumer.complete(query). It no longer returns a tuple. Instead it
   returns an object that has a status code and additional information
   about the response. See the API documentation for more information.

Server API
----------

The server API has been changed for greater extensibility.  Instead
of taking an "is_authorized" callback, processing happens in several
stages, allowing you to insert extension data into the response
before it is signed and returned.  See the documentation for the
openid.server.server module.

Fetcher API
-----------

 * fetcher was openid.consumer.fetchers.OpenIDHTTPFetcher, is now
   urljr.fetchers.HTTPFetcher.  get() and post() have been replaced by
   fetch(), see urljr.fetchers for details.

Upgrading from 1.0
------------------

The server changed the way it indexes associations in the store, so if
you're upgrading a server installation, we recommend you clear the old
records from your store when you do so.  As a consequence, consumers
will re-establish associations with your server a little sooner than
they would have otherwise.