Use POST instead of GET for OpenID check_authentication.

Google apparently doesn't check for this, but other OpenID providers do.

diff --git a/tornado/auth.py b/tornado/auth.py
index a410173ef8d33531f971251d12bce3b1236e1b40..2695cc1f1e77bd18faf988c0b20d9c44eb34356b 100644 (file)
--- a/tornado/auth.py
+++ b/tornado/auth.py
@@ -89,10 +89,11 @@ class OpenIdMixin(object):
         # Verify the OpenID response via direct request to the OP
         args = dict((k, v[-1]) for k, v in self.request.arguments.iteritems())
         args["openid.mode"] = u"check_authentication"
-        url = self._OPENID_ENDPOINT + "?" + urllib.urlencode(args)
+        url = self._OPENID_ENDPOINT
         http = httpclient.AsyncHTTPClient()
         http.fetch(url, self.async_callback(
-            self._on_authentication_verified, callback))
+            self._on_authentication_verified, callback),
+            method="POST", body=urllib.urlencode(args))
 
     def _openid_args(self, callback_uri, ax_attrs=[], oauth_scope=None):
         url = urlparse.urljoin(self.request.full_url(), callback_uri)