Authorization and OpenID SSO

Authorize whether an user already authenticated by OpenID SSO can access a Genero application.

An external program to serve as the authorization application. This external program can be written in Genero, however it does not have to be written in Genero.

The authorization program expects two mandatory arguments and the list of OpenID attributes received from the OpenID provider.

The first argument is the OpenID identifier.
The second argument is the application path.

Examples of parameters passed to a 4GL authorization program:

fglrun AccessProgram genero-user.pip.verisignlabs.com "qa-test/application" "fullname" "genero test" "email" "genero@4js.com" "country" "France"

The application AccessProgram.4gl in $FGLDIR/web_utilities/services/openid provides an example of an authorization application written in Genero.

With the Genero OpenID implementation, you can specify an external program to determine whether an already authenticated user can access a Genero Web application.

If the AUTHORIZATION tag is not defined, any user authenticated by an OpenID provider can access the Genero Web application. It is recommended that you add an authorization program.

Add an AUTHORIZATION element as a child of the OpenID DELEGATE element in the application configuration (xcf) file.

Within the AUTHORIZATION tag, specify the external authorization program.

<?xml version="1.0"?>
<APPLICATION Parent="defaultgwc"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:noNamespaceSchemaLocation="http://www.4js.com/ns/gas/2.50/cfextwa.xsd">
  <EXECUTION>
    <PATH>$(res.path.qa)/applications/myapp</PATH>
    <MODULE>App.42r</MODULE>
    <DELEGATE service="services/OpenIDServiceProvider">
      <ATTRIBUTES>email,fullname,country</ATTRIBUTES>
      <AUTHORIZATION>fglrun AccessProgram</AUTHORIZATION>
    </DELEGATE>
  </EXECUTION>
</APPLICATION>

The authorization program will be called before access to the Web application is granted. If the authorization program exits with an error code of zero (0), then access is granted for the user. Any exit code other than zero indicates access for the user is denied.