OpenId Requirements (version beta 1.0)
The OpenId client or "Relying Party" is the software tool to be intergrated with GenomeSpace, also called "your app" below. The OpenId server or "Provider" is the GenomeSpace server.
Choose an OpenId client library to use with your app. For Java we recommend
For Python we recommend
python-openid 2.5.5 and python 2.6.6
The library needs to support OpenId Version 2.0, and needs to support at least one of these spec extensions: Attribute Exchange ("AX"), Simple Registration ("SReg") version 1.0 or 1.1, or the openId version 2 spec compliant custom extension.
Your application needs code that calls the OpenId client library to talk OpenId protocol with the GenomeSpace OpenId server. There is Java code in BitBucket"s GenomeSpace/Combined project, called "openIdClient". It's pretty much one Java Servlet and some supporting Jsp, and includes the minimal set of required jars. If you search for "This is where a real app would forward or otherwise connect" you'll find the point in the code where the servlet should redirect to your app upon successful login.
The OpenId spec describes how the user starts the login process by supplying a "User-Supplied Identifier". It in turn resolves to the "OpenId Provider Endpoint URL". Since there is only one acceptable provider, your app can always use one User-Supplied Identifier which is a url gotten by HTTP GET from http://www.genomespace.org/sites/genomespacefiles/config/serverurl.properties and extracting the "openIdUrl" property for the desired server.
Your app's client code needs to request that the GenomeSpace OpenId server return the gs-token and gs-username values. Due to the lack of uniform support among various OpenId libraries, the GenomeSpace OpenId server supports three ways of doing this. Pick any one of the three. It's just a question of what is supported by your OpenId library.
Retrieving email address
If your app wants the user's email address, the client should request the user's email address in the OpenId Authentication Request. It is best to use the same mechanism that was used to request gs-token and gs-username. The added OpenId message parameters are:
OpenId logout is possible but requires both of these steps to be done: