Difference between revisions of "OpenID"
Jump to navigation
Jump to search
m |
|||
(31 intermediate revisions by 3 users not shown) | |||
Line 4: | Line 4: | ||
* [http://openid.net/developers/specs/ Specifications] |
* [http://openid.net/developers/specs/ Specifications] |
||
* [http://www.openidenabled.com/resources/openid-test/checkup Check your OpenID] |
* [http://www.openidenabled.com/resources/openid-test/checkup Check your OpenID] |
||
+ | * [http://www.readwriteweb.com/archives/openid_status_check_a_guide_to_openid.php OpenID Status Check: A Guide to Getting and Using Your OpenID] |
||
+ | |||
+ | ==Understanding== |
||
+ | * http://leancode.com/2007/02/23/openid-protocol-diagram |
||
+ | * http://wiki.openid.net/Introduction |
||
+ | * http://www.theserverside.com/tt/articles/article.tss?l=OpenID |
||
==Identity provider (OpenID provider)== |
==Identity provider (OpenID provider)== |
||
+ | ===Service providers=== |
||
− | Either your own server a service provider offering the service |
||
+ | * [http://openid.net/get/ Big ones] |
||
⚫ | |||
+ | * [http://www.readwriteweb.com/archives/flickr_to_authenticate_openid.php Flickr] should become one soon... |
||
+ | * [http://openid.openminds.be/ OpenMinds] is probably the first Belgian provider |
||
+ | * Estonians can use [https://openid.ee/about/english their eID as OpenID]<br>According to [http://www.sakimura.org/en/modules/wordpress/index.php?p=18 this blog] this should cover other European countries such as Belgium as well |
||
+ | * Why Belgium government doesn't provide OpenID through [[Belgian eID|eID]] as well?? |
||
+ | * Actually it seems [http://openeid.be someone] will propose it soon but it's US based! |
||
+ | * Ok [[OpenID-eID|let's try ourselves]] |
||
+ | * [https://openid.trustbearer.com/ TrustBearer OpenID] supports the Belgian eID, as well as several other smart card and biometric devices as authentication tokens. See a demo using the Belgian eID [http://blog.rootshell.be/2008/04/28/openid-and-belgian-eid/ here]. |
||
+ | |||
+ | ===Be your own!=== |
||
⚫ | |||
+ | ** Standalone, single user, OpenID Identity Provider |
||
+ | ** Very easy to set up! |
||
+ | ** Authentication based on HTTP Digest |
||
+ | ** Supports also [http://pavatar.com/ pavatar] and [http://www.microid.org/ MicroID] |
||
+ | ** You'd better use it with php5 as php4 is lackind the modpow operation and the emulation is very slow. |
||
+ | * Here is a patch [{{#file: MyID.php.patch}} (you can download it here)] to switch to HTTPS before you type your password, on top of HTTP Digest. |
||
+ | <source lang=diff> |
||
+ | --- MyID.php.orig 2008-04-25 23:07:13.000000000 +0200 |
||
+ | +++ MyID.php 2008-04-25 23:36:09.000000000 +0200 |
||
+ | @@ -203,6 +203,9 @@ |
||
+ | if (! isset($_SESSION['post_auth_url']) || ! isset($_SESSION['cancel_auth_url'])) |
||
+ | error_500('You may not access this mode directly.'); |
||
+ | |||
+ | + if( $_SERVER['HTTPS'] != 'on') { |
||
+ | + wrap_refresh('https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); |
||
+ | + } |
||
+ | // try to get the digest headers - what a PITA! |
||
+ | if (function_exists('apache_request_headers') && ini_get('safe_mode') == false) { |
||
+ | $arh = apache_request_headers(); |
||
+ | @@ -453,7 +456,7 @@ |
||
+ | ); |
||
+ | |||
+ | // if the user is not logged in, transfer to the authorization mode |
||
+ | - if ($profile['authorized'] === false || $identity != $_SESSION['auth_url']) { |
||
+ | + if ($profile['authorized'] === false || str_replace($GLOBALS['proto'], "https", $identity) != $_SESSION['auth_url']) { |
||
+ | // users can only be logged in to one url at a time |
||
+ | $_SESSION['auth_username'] = null; |
||
+ | $_SESSION['auth_url'] = null; |
||
+ | @@ -469,7 +472,7 @@ |
||
+ | debug('Post URL: ' . $_SESSION['post_auth_url']); |
||
+ | |||
+ | $q = strpos($profile['idp_url'], '?') ? '&' : '?'; |
||
+ | - wrap_refresh($profile['idp_url'] . $q . 'openid.mode=authorize'); |
||
+ | + wrap_refresh(str_replace($GLOBALS['proto'], "https", $profile['idp_url']) . $q . 'openid.mode=authorize'); |
||
+ | } else { |
||
+ | $keys['user_setup_url'] = $profile['idp_url']; |
||
+ | } |
||
+ | </source> |
||
+ | |||
===Recipes=== |
===Recipes=== |
||
* There is an example given with [http://www.openidenabled.com/php-openid/ php-openid]<br>apt-get install php-openid |
* There is an example given with [http://www.openidenabled.com/php-openid/ php-openid]<br>apt-get install php-openid |
||
− | * [http://www.intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers OpenId for non-SuperUsers], using phpMyID |
+ | * [http://www.intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers OpenId for non-SuperUsers], using phpMyID, a fallback OpenID service provider and some delegation so you can use e.g. your blog URI as identity. |
==Relying Party (Consumer)== |
==Relying Party (Consumer)== |
||
Line 20: | Line 75: | ||
* [http://developer.yahoo.com/openid/ by Yahoo!] |
* [http://developer.yahoo.com/openid/ by Yahoo!] |
||
* [http://www.plaxo.com/api/openid_recipe by Plaxo] |
* [http://www.plaxo.com/api/openid_recipe by Plaxo] |
||
+ | ===My services=== |
||
+ | * I added [[MediaWiki#OpenID_support|OpenID support]] to this wiki. |
||
+ | * To add it to Wordpress, see [[Wordpress#OpenID|here]] |
||
+ | |||
+ | ==End User (OpenID Client)== |
||
+ | * The perl module [http://www.yobi.be/files/HTTP-OpenID-0.01.tar.gz HTTP::OpenID] implements part of an HTTP Client to perform an OpenID login. |
||
==Libraries== |
==Libraries== |
||
* [http://www.openidenabled.com/ PHP, Python & Ruby], also available in Debian |
* [http://www.openidenabled.com/ PHP, Python & Ruby], also available in Debian |
||
+ | * CPAN Perl modules [http://search.cpan.org/perldoc?Net%3A%3AOpenID%3A%3AServer Net::OpenID::Server] & [http://search.cpan.org/perldoc?Net%3A%3AOpenID%3A%3AConsumer Net::OpenID::Consumer], also available in Debian |
||
+ | |||
==Security== |
==Security== |
||
− | Some are worrying about easier phishing attacks as the relying party could redirect you to another identity provider than yours.<br>That's why it's good to have diversity and to have your own identity provider hosted at your own server, with your own style and your own authentication method<br>If there will be phishing, that will occur for the big OpenID providers |
+ | Some are worrying about easier phishing attacks as the relying party could redirect you to another identity provider than yours.<br>That's why it's good to have diversity and to have your own identity provider hosted at your own server, with your own style and your own authentication method<br>If there will be phishing, that will occur for the big OpenID providers. |
+ | <br>But if you're using a self-signed SSL identity server, for sure man-in-the-middle SSL attack can occur much more easily so don't rely on it! |
||
+ | <br>Using [http://en.wikipedia.org/wiki/Digest_access_authentication Digest access authentication] through e.g. [http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html Apache AuthDigest] over HTTP is probably a much better idea than Basic access authentication over HTTPS. |
Latest revision as of 21:33, 24 November 2010
Links
- OpenID
- in wikipedia
- Specifications
- Check your OpenID
- OpenID Status Check: A Guide to Getting and Using Your OpenID
Understanding
- http://leancode.com/2007/02/23/openid-protocol-diagram
- http://wiki.openid.net/Introduction
- http://www.theserverside.com/tt/articles/article.tss?l=OpenID
Identity provider (OpenID provider)
Service providers
- Big ones
- Flickr should become one soon...
- OpenMinds is probably the first Belgian provider
- Estonians can use their eID as OpenID
According to this blog this should cover other European countries such as Belgium as well - Why Belgium government doesn't provide OpenID through eID as well??
- Actually it seems someone will propose it soon but it's US based!
- Ok let's try ourselves
- TrustBearer OpenID supports the Belgian eID, as well as several other smart card and biometric devices as authentication tokens. See a demo using the Belgian eID here.
Be your own!
- phpMyID
- Here is a patch [{{#file: MyID.php.patch}} (you can download it here)] to switch to HTTPS before you type your password, on top of HTTP Digest.
--- MyID.php.orig 2008-04-25 23:07:13.000000000 +0200
+++ MyID.php 2008-04-25 23:36:09.000000000 +0200
@@ -203,6 +203,9 @@
if (! isset($_SESSION['post_auth_url']) || ! isset($_SESSION['cancel_auth_url']))
error_500('You may not access this mode directly.');
+ if( $_SERVER['HTTPS'] != 'on') {
+ wrap_refresh('https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
+ }
// try to get the digest headers - what a PITA!
if (function_exists('apache_request_headers') && ini_get('safe_mode') == false) {
$arh = apache_request_headers();
@@ -453,7 +456,7 @@
);
// if the user is not logged in, transfer to the authorization mode
- if ($profile['authorized'] === false || $identity != $_SESSION['auth_url']) {
+ if ($profile['authorized'] === false || str_replace($GLOBALS['proto'], "https", $identity) != $_SESSION['auth_url']) {
// users can only be logged in to one url at a time
$_SESSION['auth_username'] = null;
$_SESSION['auth_url'] = null;
@@ -469,7 +472,7 @@
debug('Post URL: ' . $_SESSION['post_auth_url']);
$q = strpos($profile['idp_url'], '?') ? '&' : '?';
- wrap_refresh($profile['idp_url'] . $q . 'openid.mode=authorize');
+ wrap_refresh(str_replace($GLOBALS['proto'], "https", $profile['idp_url']) . $q . 'openid.mode=authorize');
} else {
$keys['user_setup_url'] = $profile['idp_url'];
}
Recipes
- There is an example given with php-openid
apt-get install php-openid - OpenId for non-SuperUsers, using phpMyID, a fallback OpenID service provider and some delegation so you can use e.g. your blog URI as identity.
Relying Party (Consumer)
Mod Auth OpenID for Apache
apt-get install libapache2-mod-auth-openid
- Customizing the login page, I mean the prompt for OpenID URI
- FAQ
Recipes
My services
- I added OpenID support to this wiki.
- To add it to Wordpress, see here
End User (OpenID Client)
- The perl module HTTP::OpenID implements part of an HTTP Client to perform an OpenID login.
Libraries
- PHP, Python & Ruby, also available in Debian
- CPAN Perl modules Net::OpenID::Server & Net::OpenID::Consumer, also available in Debian
Security
Some are worrying about easier phishing attacks as the relying party could redirect you to another identity provider than yours.
That's why it's good to have diversity and to have your own identity provider hosted at your own server, with your own style and your own authentication method
If there will be phishing, that will occur for the big OpenID providers.
But if you're using a self-signed SSL identity server, for sure man-in-the-middle SSL attack can occur much more easily so don't rely on it!
Using Digest access authentication through e.g. Apache AuthDigest over HTTP is probably a much better idea than Basic access authentication over HTTPS.