Difference between revisions of "OpenID"
Jump to navigation
Jump to search
m (→Security) |
m (→Security) |
||
Line 29: | Line 29: | ||
Some are worrying about easier phishing attacks as the relying party could redirect you to another identity provider than yours.<br>That's why it's good to have diversity and to have your own identity provider hosted at your own server, with your own style and your own authentication method<br>If there will be phishing, that will occur for the big OpenID providers. |
Some are worrying about easier phishing attacks as the relying party could redirect you to another identity provider than yours.<br>That's why it's good to have diversity and to have your own identity provider hosted at your own server, with your own style and your own authentication method<br>If there will be phishing, that will occur for the big OpenID providers. |
||
<br>But if you're using a self-signed SSL identity server, for sure man-in-the-middle SSL attack can occur much more easily so don't rely on it! |
<br>But if you're using a self-signed SSL identity server, for sure man-in-the-middle SSL attack can occur much more easily so don't rely on it! |
||
− | <br>Using [http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html |
+ | <br>Using [http://en.wikipedia.org/wiki/Digest_access_authentication Digest access authentication] through e.g. [http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html Apache AuthDigest] over HTTP is probably a much better idea than Basic access authentication over HTTPS. |
Revision as of 23:09, 15 February 2008
Links
Identity provider (OpenID provider)
Service providers
Be your own!
- phpMyID is a standalone, single user, OpenID Identity Provider.
Recipes
- There is an example given with php-openid
apt-get install php-openid - OpenId for non-SuperUsers, using phpMyID
Relying Party (Consumer)
Mod Auth OpenID for Apache
apt-get install libapache2-mod-auth-openid
- Customizing the login page, I mean the prompt for OpenID URI
- FAQ
Recipes
Libraries
- PHP, Python & Ruby, also available in Debian
Security
Some are worrying about easier phishing attacks as the relying party could redirect you to another identity provider than yours.
That's why it's good to have diversity and to have your own identity provider hosted at your own server, with your own style and your own authentication method
If there will be phishing, that will occur for the big OpenID providers.
But if you're using a self-signed SSL identity server, for sure man-in-the-middle SSL attack can occur much more easily so don't rely on it!
Using Digest access authentication through e.g. Apache AuthDigest over HTTP is probably a much better idea than Basic access authentication over HTTPS.