Date: 2006-12-07 23:02:00
openid
I've been playing with OpenID recently and put together an OpenID identity provider as a little Python script that runs as a CGI under Apache. I wanted to really understand how the protocol works so I did this without the use of any existing OpenID libraries. It turned out to be a little finicky and the current specification leaves a bit to be desired, but with just 140 lines of code I've got a working OpenID provider.

So my OpenID is now http://greg.hewgill.name (the use of .name here isn't specifically related to OpenID, it's just part of an url). What can I do with that? There is a growing list of OpenID enabled software where I can theoretically log in with an OpenID. This means I don't have to give every random web site a password (and have to keep thinking up new ones), I can just use my OpenID knowing that nobody else can use my identity. In practice, adoption is slow but progressing well. I hope to be able to use this on sites like Wikipedia or Trademe (New Zealand's version of ebay) in the near future.

[info]brad did the initial development of OpenID a couple of years ago, so it's no suprise that Livejournal has some of the best support for it. There are two halves to this support: (1) Everybody who has a Livejournal account automatically has an OpenID today, so another OpenID that I could use is http://ghewgill.livejournal.com; (2) People who do not maintain a journal at livejournal.com can still log in to the site, create friends lists, other people can friend them, and so on.

OpenID is really good stuff and hopefully will soon be adopted everywhere. Like other wildly successful protocols such as SMTP, HTTP, and XMPP, nobody owns OpenID so the failure of one company or organisation won't render it useless. And, of course there's no money involved (unlike say, SSL).
[info]cetan
2006-12-07T14:27:32Z
I don't really understand OpenID, or at least how to roll my own, but I have used my LJ OpenID in conjunction with Zooomer and I've found the experience to be quite nice.

I wish WordPress had better support for OpenID so LJ'ers could login to post comments on my blog. Some day.
[info]ghewgill
2006-12-08T05:57:19Z
There appear to be a multitude of google hits for openid and wordpress, but some of them mention out of date plugins and varying support for wordpress versions. Hopefully something rises out of all that.
[info]taral
2006-12-07T22:36:58Z
OpenID delegation is useful. I can authenticate as http://taral.net/, and it's delegated to livejournal so I don't have to run any software on taral.net.
[info]taral
2006-12-07T22:53:35Z
60 second associations? Not nice. :(

Also, no worky with simple test:
% nc hewgill.com 80 <<END
            
POST /services/openid.py HTTP/1.0
Host: hewgill.com

openid.mode=associate
END
HTTP/1.1 200 OK
Date: Thu, 07 Dec 2006 22:52:13 GMT
Server: Apache/2.0.58 (Unix) PHP/4.3.10
Connection: close
Content-Type: text/html

<p>This is an openid server.</p>
[info]taral
2006-12-07T22:59:26Z
Hm. Apparently you have to set content-type.
[info]ghewgill
2006-12-08T05:32:00Z
Oh, yeah I had the associate set at 60 seconds for testing. I guess it could be longer than that, what's reasonable? an hour? a day? a month?

Or, I suppose I could try myself against another identity server like livejournal. :)
[info]taral
2006-12-08T06:43:30Z
It really depends. How long do you want to have to maintain the state on your end? If your design is like mine (stateless), then you can make the association infinite.
[info]ghewgill
2006-12-08T08:03:05Z
Oh, yeah my server is stateless. My code is pretty hacky, but it's pretty much self-contained. http://hewgill.com/~greg/openid.txt if you're curious. That's the sanitized version with my secrets replaced by FIXME. :)
[info]taral
2006-12-08T08:49:40Z
Ah, you don't support check_authentication! No wonder your version is so simple.
[info]ghewgill
2006-12-08T08:52:13Z
Heh yeah. Enough to make it work minimally with the couple of sites I tried it with.
[info]taral
2006-12-08T08:55:40Z
That's because most of them are smart consumers that can use associations.
[info]taral
2006-12-08T08:53:09Z
No trust_root/return_to checking either. Sheesh.

http://taral.dreamhost.com/openid.txt for the one I wrote. It's PHP, but it gives you an idea of how much more has to be done to have a secure IdP.
[info]ghewgill
2006-12-08T09:28:27Z
Six months ago i couldnt spel programur. Now i are one!
Greg Hewgill <greg@hewgill.com>