Fix OpenID delegate authentication
OpenID delegate support was accidentally broken back when we switched
to openid4java. Issue 38 claims it was broken in commit 818fa7568021
(v2.0.19~85) when we did a refactoring on how accounts are handled,
but I can't seem to fault that commit with the actual problem of
not honoring the claimed identity supplied by the user.
We now store both the claimed identity and the delegate identity into
the database. This makes it easier to link back to the same account
if the user enters through one or the other. It also permits the
us to only grant extended access to a user account if both their
claimed and delegate provider are trusted by the site administrator.
If an account has only the delegate identity (e.g. because it
was made before this fix was put into production use) we add the
claimed identity as an additional identity during the next login.
If an account has the claimed identity but not the delegate, we
add the delegate on the next login under the assumption that the
user has updated their delegation rule stored at the claimed address.
Bug: issue 38
Change-Id: Ie1e1265c94e5cafc75e8d71c9a1cbfa4df4337b7
Signed-off-by: Shawn O. Pearce <sop@google.com>
2 files changed
