I'm trying to build a personal OpenID-based online identity using my domain name as identifier. I want to be able to accomplish all this:
Make http://alvaro.es/ my identifier.
Be able to switch providers transparently.
Log into any third-party site that accepts OpenID.
Be able to provide personal details (e-mail, time zone, avatar...) and get prompted whether to send them or not to sites that request them.
Accept OpenID in my own (PHP-powered) sites without the need of purchasing SSL hosting.
I've read the usual doc and I've been evaluating several OpenID providers (Google, Yahoo, myOpenID... and even running my own server). The fact is that I've been using OpenID for a while and:
Providers offer very scarce documentation or none at all.
No matter what provider I choose, there are always sites where log-in fails (typically without an error message).
I have little control (or none at all) on the identifier returned by the provider.
I still can't understand how all this really works.
I'm looking for general advice but I understand that can be subjective so I'll make a few specific questions.
So far, I'm trying out myOpenId as provider and LightOpenID as consumer. My questions are:
My URL provides an HTTP header:
X-XRDS-Location: http://kalvaro.myopenid.com/?xrds=1
... and the following HTML tags:
<link rel="openid.server openid2.provider" href="http://www.myopenid.com/server">
<link rel="openid.delegate openid2.local_id" href="http://kalvaro.myopenid.com">
Is it correct? Is it enough?
myOpenID provides Your Domains, a feature to register your own domain name but I haven't dared to test it (it needs changes to the DNS) and the configuration form suggests I have to choose between http://openid.alvaro.es/username and http://username.alvaro.es/ as identifier (not http://alvaro.es/). However, Stackoverflow still reports alvaro.es as my identifier without this feature. Do I need to use it?
When implementing LightOpenID, I match the local user against $openid->identity (where $openid is the instance of the LightOpenID object). This attribute appears to be the URL supplied by the user. Is it correct?
Are there more adequate providers or consumer libraries than the ones I chose?
It is correct. It is more than enough. While providing an X-XRDS-Location is a good thing, as it sepeeds up the discovery process, it isn't sctrictly necessary.
As far as I understand it, "Your Domains" is useful when you want to have multiple accounts in your domain. Anyway, you don't need to use it at all.
It is correct. The url is also called a Claimed Identifier, i.e. what the user claims to be.
As the author of LightOpenID, my answer is obvious and possibly biased -- I've created it, because I couldn't find a good, existing library.
Other things you might want to know:
Delegation won't work with Google, and any other provider who uses select_identifier (i.e. each account has the same url, and then the provider asks you for your login).
Your delegation, as shown in 1., will let you switch providers transparently and log in to any site that supports OpenID, just as you want.
As for the personal details, it depends completely on the provider, whether it sends them or not, what kind of personal information it supports, etc.. For example, Google doesn't let you choose what to send, only whether to send something (and everything the website claims to require) at all.
Some implementations are buggy and indeed fail. Try logging in for a second time, it works sometimes.
The identifier returned by your provider shouldn't matter if you use delegation. The website you're logging into should use your claimed identifier.
As for how the openid works, see some answers to that question on SO.
Related
i have 2 sites (example.com, ex2.com). Fisical is a 1 site with 1 db. When user sing in ex2.com, he was sing in example.com too. How do this?
P.S. Can do this with ZF?
I found a very interesting article on this topic. The author gives some ideas how to implement Multidomain authentication.
http://codeutopia.net/blog/2008/09/25/sharing-authentication-over-multiple-sites-single-sign-on/
Have you looked into OpenID? You could lock OpenID consumer "ex2" to allow logins only from your "example.com" OpenID provider.
I am also digging the subject. Some time ago, I already did my own implementation and got it terribly wrong.
At the moment I am wondering whether to setup an own OpenID provider and locking consumer sites to accept only it. Another alternative would be yet another own implementation with a CAS style setup, where only a hash is passed via the browser, and the user verification is done server-to-server in the background using the hash as a disposable key.
I am not yet sure which one to pick or would some third alternative be better.
You could take a look into something like http://cosign.sourceforge.net/. Cosign enables you to create a single point of login for multiple sites. It's not specific to Zend but should work.
I am looking to create a listserv functionality for my website in the style of google groups. That is, someone creates a group and thus, a group email address is born. Should i be using a catchall or should i come up with some way to automatically create a mailbox when someone creates a group?
That really depends on your mail server setup. Your mail server might allow the easy ad hoc account creation, or it might not.
Have you considered using any of the widely-used open source programs (e.g. Mailman) that do exactly what you are describing instead of rolling your own? I would consider it, because people tend to expect mail to work in a particular way, and get a bit upset if it doesn't.
I'm trying to implement an OpenID server in PHP that supports identifier selection (some call this directed identity, which is actually a more specific case of identifier selection). That is, a user can enter a generic URI as their OpenID identifier, log in, and choose what identifier to return to the OpenID consumer.
For example, if a user enters mysite.com as their indentifier, after they log in they would be prompted to return one of two identifiers to the OpenID consumer (perhaps mysite.com/myusername or mysite.com/anon-ad83f38c98b98).
The advantage of this system is that you have the option to either use a single identifier among many sites, or use unique identifiers for individual sites.
Anyway—I haven't been able to find a good tutorial on how to implement this portion of the OpenID spec in PHP. In fact, most searches led me to unanswered questions on forums or even on stack overflow. Does anyone know of a PHP library that can handle identifier selection or directed identity? If so, are there any tutorials out there explaining how to set it up? I've been playing with a few libraries that don't mention it one way or the other, but I haven't been able to get it working yet.
Any help is greatly appreciated.
The documentation is useless. Have you had a look at the Janrain libraries? They have a consumer which I have successfully implemented and also server code which I presume is implementable. Have a look at the Yadis\XRIRes and Yadis\XRI files, you may have to reverse engineer their code - that's what I had to do to figure out the consumer. I'm currently looking into implementing a server but can't find anything worthwhile yet.
http://openidenabled.com/files/php-openid/docs/2.1.3/OpenID/Auth_Yadis_Yadis.html
php-openid v2 is certainly capable. And really, how you interact with the library changes rather little when you add identifier selection. When you get your Auth_OpenID_ChecKIDRequest, you can check its idSelect method to see if it's a case for identifier selection. Then pass the selected identity to Auth_OpenID_ChecKIDRequest.answer().
The only other bit is to make sure that you advertise what the spec terms an "OP Identifier Element" on mysite.com/. If you're serving XRDS pages for your user identifiers already, this works the same way, just with a different Type URL. If you're not (you just have HTML-based discovery with link elements), you might want to look at myopenid's HTTP headers for an example.
I am wondering if it is possible to request more information besides email from Google and get the name of the user also?
Am using JanRain OpenID PHP script.
Thank you
No, it isn't possible. Google only releases the user's email address. Their server is set up to never give out any more information than that:
See their OpenID page for developers to learn more:
http://code.google.com/apis/accounts/docs/OpenID.html
Search for OpenID Attribute Exchange -- that's what you want.
basic overview
formal specification
We haven't looked at it in a while (6 months?) but it was quite rough when we did. Hopefully things have improved since then.
More resources:
http://www.google.com/search?q=openid+attribute+exchange
I normally read the manual only when truly defeated. For 3 days, I have tried different ways to fetch user attributes from those two giant OpenID providers, but only managed to fetch the "email" attribute from Google and absolutely nothing from Yahoo. And then I had to read the dreaded manual, even those vague OpenID specifications.
So why implement a standard and not fully support it? Why pretend that there is any viability to OpenID if the big parties will not cooperate with the smaller parties when it comes to information exchange.
I guess the basic sign up and sign in process wins after all... Who really needs to know about XRIs and URLs anyway?
You're not supposed to rely on any user information anyway. See if it's part of the OP's reply, and if it isn't, provide the user with a form where he can complete the required fields.
this is the scenario:
multiple web systems (mostly lampp/wampp) exist, most of them with separate login information, (some share it). We're considering the benefits/disadvantages of unifying them somehow, or at least making handling the user administration parts easier.
Due to the nature of some systems (its a mixed bag of custom OSS systems,internally developed software and 3rd party commercial software) we can't unify all login-screens into a single screen.
A idea passed around is a sort of login master brain were we can control all user name creation,permissions,inactivation, etc. This will still make people have to manually log in into every system, but at least it'll make the administrative load of user management easier.
Are there any known solutions to this kind of problem that involves (necesarily, it could be considered) changing the least amount of code/systems possible?
Edit: OpenID doesnt work for us since we have different login needs and some systems we cant directly control how they handle the login process (but we can control the users/passwords).
What we did was to centralise all login details in one repository (Active Directory for us), then wrote a c# library to authenticate with wrappers for all the languages we programmed in (PHP, C, .NET, etc). and then just wrote some glue code in the appropriate place for each application. Aside from our in-house apps, we successfully logged into Mediawiki, Subversion, ActiveCollab and Apache this way.
It does involve writing a reasonable amount of code, but not ridiculous amounts, and it will work for the future as well. I can't see a practical solution which would be easier than this.
Reading your question I note that this is more-or-less what you're thinking anyway, but it will work!
There is a big industry around it and it is called IAM - Identity Access Management. The IAM solutions basically do what You want - manager users, user permissions and translate their internal state to the multitude of systems. Depending on possibility of integration, You might have a "SSO" - Single Sign On for some software or You could have Single Source of Authentication. The former differs from later in the fact that with SSO user needs in to punch the credentials once, while the in the later he only has same login and password combo.
Also IAM would manage to extent of its possibilities user rights. For example, a network equipment can only support one user/password. Then IAM solution would automatically open a terminal and log on the user, when he/she requests it; assuming the user is in the right security group.
Implementing an IAM solution could go a long way to ease systems management.
I can't recommend any particular solution, just bear in mind that transition from current method to IAM will require more than integration with different software, but also some change in corporate culture as one system will bind all others.
A lot of people seem to like OpenID for this sort of thing. I'm not sure on it's intranet capabilities though.
Another idea is using your "brain" system to pass authenticated username to the sister/brother applications as a form post, then handle authentication on that system and create their security tickets with what was sent.
Hope you find what you're looking for!
Cheers!