From: Ben Darnell <ben@bendarnell.com>
Date: Thu, 5 Aug 2010 00:42:07 +0000 (-0700)
Subject: Use POST instead of GET for OpenID check_authentication.
X-Git-Tag: v1.1.0~48
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5bd0c066afee37609156d1ac465057a726afcd4;p=thirdparty%2Ftornado.git

Use POST instead of GET for OpenID check_authentication.

Google apparently doesn't check for this, but other OpenID providers do.
---

diff --git a/tornado/auth.py b/tornado/auth.py
index a410173ef..2695cc1f1 100644
--- a/tornado/auth.py
+++ b/tornado/auth.py
@@ -89,10 +89,11 @@ class OpenIdMixin(object):
         # Verify the OpenID response via direct request to the OP
         args = dict((k, v[-1]) for k, v in self.request.arguments.iteritems())
         args["openid.mode"] = u"check_authentication"
-        url = self._OPENID_ENDPOINT + "?" + urllib.urlencode(args)
+        url = self._OPENID_ENDPOINT
         http = httpclient.AsyncHTTPClient()
         http.fetch(url, self.async_callback(
-            self._on_authentication_verified, callback))
+            self._on_authentication_verified, callback),
+            method="POST", body=urllib.urlencode(args))
 
     def _openid_args(self, callback_uri, ax_attrs=[], oauth_scope=None):
         url = urlparse.urljoin(self.request.full_url(), callback_uri)