Better webfinger
Actually :
- On login at the Relying Party (RP) user can put an email like :
jblemee@pm.me
- the RL will send a request to the email host to find out the OIDC Provider (OP), using webfinger :
GET https://pm.me/.well-known/webfinger?resource=acct%3Ajblemee%40pm.me
- It will found nothing because
pm.me
doesn't implements webfinger.
To do :
-
On RP side: If the webfinger does not work on email host, do it on all known OP (Using the OPClient.objects.all()
-
On OP side: implements the endpoints `/.well-knows/webfinger/ - If the user is found and local : return the OP as the issuer - If the user id found but not local : return the distant OP as issuer -
This issue is closed https://github.com/OpenIDC/pyoidc/issues/655 This way if
jblemee@pm.me
has an account on Paris server, it will be able to log on Lyon server only by putting his email. The requests will be :-
GET https://pm.me/.well-known/webfinger?resource=acct%3Ajblemee%40pm.me
=> 404 Not Found -
GET https://paris.happy-dev.fr/.well-known/webfinger?resource=acct%3Ajblemee%40pm.me
=> 200 Found
-
Maybe use/contribute to this lib : https://github.com/jcarbaugh/django-webfinger