From 475b4199e1624350b928a002fe83033ee3389b31 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Fri, 11 Jun 2010 13:53:56 -0400
Subject: openid: Add openid_realm and openid_cgiurl configuration options,
 useful in a few edge case setups.

---
 IkiWiki/Plugin/openid.pm | 27 ++++++++++++++++++++++++---
 debian/changelog         |  7 +++++++
 doc/plugins/openid.mdwn  | 16 ++++++++++++++++
 3 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/IkiWiki/Plugin/openid.pm b/IkiWiki/Plugin/openid.pm
index e10e21f4d..57cb139ca 100644
--- a/IkiWiki/Plugin/openid.pm
+++ b/IkiWiki/Plugin/openid.pm
@@ -40,6 +40,18 @@ sub getsetup () {
 			rebuild => 0,
 			section => "auth",
 		},
+		openid_realm => {
+			type => "string",
+			description => "url of openid realm (default is cgiurl)",
+			safe => 0,
+			rebuild => 0,
+		},
+		openid_cgiurl => {
+			type => "string",
+			description => "url to ikiwiki cgi to use for openid authentication (default is cgiurl)",
+			safe => 0,
+			rebuild => 0,
+		},
 }
 
 sub openid_selector {
@@ -135,9 +147,15 @@ sub validate ($$$;$) {
 		);
 	}
 
+	my $cgiurl=$config{openid_cgiurl};
+	$cgiurl=$config{cgiurl} if ! defined $cgiurl;
+
+	my $trust_root=$config{openid_realm};
+	$trust_root=$cgiurl if ! defined $trust_root;
+
 	my $check_url = $claimed_identity->check_url(
-		return_to => IkiWiki::cgiurl(do => "postsignin"),
-		trust_root => $config{cgiurl},
+		return_to => "$cgiurl?do=postsignin",
+		trust_root => $trust_root,
 		delayed_return => 1,
 	);
 	# Redirect the user to the OpenID server, which will
@@ -220,12 +238,15 @@ sub getobj ($$) {
 		$secret=rand;
 		$session->param(openid_secret => $secret);
 	}
+	
+	my $cgiurl=$config{openid_cgiurl};
+	$cgiurl=$config{cgiurl} if ! defined $cgiurl;
 
 	return Net::OpenID::Consumer->new(
 		ua => $ua,
 		args => $q,
 		consumer_secret => sub { return shift()+$secret },
-		required_root => $config{cgiurl},
+		required_root => $cgiurl,
 	);
 }
 
diff --git a/debian/changelog b/debian/changelog
index 01307db55..9a6b1361c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ikiwiki (3.20100611) UNRELEASED; urgency=low
+
+  * openid: Add openid_realm and openid_cgiurl configuration options,
+    useful in a few edge case setups.
+
+ -- Joey Hess <joeyh@debian.org>  Fri, 11 Jun 2010 13:39:15 -0400
+
 ikiwiki (3.20100610) unstable; urgency=low
 
   * creation_day() etc use local time, not gmtime. To match calendars, which
diff --git a/doc/plugins/openid.mdwn b/doc/plugins/openid.mdwn
index 7da2f8575..3fb4c26b8 100644
--- a/doc/plugins/openid.mdwn
+++ b/doc/plugins/openid.mdwn
@@ -13,3 +13,19 @@ to support users entering "https" OpenID urls.
 
 This plugin is enabled by default, but can be turned off if you want to
 only use some other form of authentication, such as [[passwordauth]].
+
+## options
+
+These options do not normally need to be set, but can be useful in
+certian setups.
+
+* `openid_realm` can be used to control the scope of the openid request.
+  It defaults to the `cgiurl` (or `openid_cgiurl` if set); only allowing
+  ikiwiki's [[CGI]] to authenticate. If you have multiple ikiwiki instances,
+  or other things using openid on the same site, you may choose to put them
+  all in the same realm to improve the user's openid experience.
+
+* `openid_cgiurl` can be used to cause a different than usual `cgiurl`
+  to be used when doing openid authentication. The `openid_cgiurl` must
+  point to an ikiwiki [[CGI]], and it will need to match the `openid_realm`
+  to work.
-- 
cgit v1.2.3