ads

Search ContentKenya

Friday, July 31, 2009

Creating an OpenID provider

OpenID is an open, decentralized, free framework for user-centric digital identity (I stole that from their website). But what does it mean? Well, basically OpenID is a way to authenticate yourself to various places (websites) by verifying your identity as the owner of a particular URL (say, a website of your own). Instead of giving a username and password to a login form, you just give it your URL. You're then directed to your "identity provider" to log in, and when it authenticates you, you go back to the site you were orignally trying to get into. Why this is good or bad, and what the actual implications of it are... well, that's all mostly outta scope as far as phpMyID is concerned. Suffice it to say, phpMyID acts as an "identity provider" so you can log in to OpenID enabled sites.

From a user point of view, OpenID is a neat concept, but it has a few flaws. For example, when I wanted to actually, y'know, get an OpenID thingie of my own so I could log into OpenID sites, I found there was no satisfactory way to get one. My options were:

  • Download a ready made application to handle serving up identities and create myself an account in it. - There aren't many of these, and what few there are seem to be geared towards multi-user setups. Since there's only one of me, this option seemed like overkill.
  • Download a complex set of libraries and build an application to handle serving up my identity. - Again there are not many of these, and what few there are seem a bit overcomplicated for my needs.
  • Set up an account with a third party provider. - A bad option for me because I really don't like the idea of coupling a theoretically decentralized framework to one of a handfull of third party providers (and giving them my account credentials). Sure, someone who doesn't have their own site and server technology will probably go this way, but not me.

Since I couldn't find the simple solution that I wanted, I did what any [idiot|geek] would do, and created the missing option for myself: a single user OpenID server. phpMyID.

Why Use it?

  • The whole point of OpenID is to allow you to manage your own identity, and phpMyID lets you do that without giving control to a third party.
  • It's easy to install and easy to configure. Edit just a few lines in your config file, and you're off and running!
  • Allows "Smart Mode OpenID" (more secure) transactions, even if you don't have a "big math" library available. Seriously, phpMyID comes with a pure-PHP math library which can be used if you want to demand that extra level of security.
  • Ensures secure password transmission even if you don't have SSL! By using HTTP Digest authentication, phpMyID ensures your password is never sent or stored anywhere in clear or decypherable text.

How to Use

phpMyID is a single user (though, if you were so inclined, you could easily turn it into a multi-user setup) IdP, or "Identity Provider" for the OpenID framework. It's a single PHP script with minimal dependancies. You don't need a database, you don't need to make your filesystem writable, you don't need to download any libraries, and you don't need to recompile PHP. Okay, well, you shouldn't need to do any of that.

Installing phpMyID requires an MD5 hashing utility. Why? Because you have to authenticate to it using a password. phpMyID uses HTTP Digest authentication for security and your password must be encrypted when you enter it during installation. Say it with me: "passwords should never be stored or transmitted in plain text" (one of the advantages of phpMyID and OpenID is that they never are).

For Linux or OSX (or any other Unix-like OS), I suggest using OpenSSL to encrypt your password. For Windows, there are a number of utilities available, but I recommend this one by Colin Plumb. It's public domain code, and it will do exactly what you need (yes, the hash it create is all upper-case - don't worry, phpMyID will convert it for you). You can use PHP's md5 function to generate your hash for you on the fly, but I must discourage doing so. Not only does it take all the fun out, but you have to store your password in plain text to make it go.

Complete installation instructions, including examples of how to encrypt your password, are available in the provided README file (here's the svn version).

** Important ** phpMyID is not compatible with hardened PHP installations. In particular, Suhosin is known to cause problems.

Change Log

0.9
  • Bugfix: A weakness in the digest authentication method has been addressed. Thanks to forum user 'MAILER-DAEMON' for noticing.
  • Bugfix: A few PHP "Notices" have been corrected. Thanks to forum users 'thomas.leplus', and 'laplix' for the patches.
  • Bugfix: Paranoid mode ancestry checks did not work correctly in PHP4. Thanks to forum user 'sehrgut' for the patch.
  • Bugfix: Cancel URL did not have 'openid.mode=cancel' appended to it. Thanks to forum user 'zstoichev' for noticing.
  • Bugfix: Paranoid mode will not be invoked on checkid_immediate.
  • The Suhosin incompatibility warning can now by bypassed.
  • HTML META refreshes have been replaced with HTTP 302 refreshes.
0.8
  • Paranoid mode was added. Users may now see and approve "trust_root" URLs that they are logging in to.
  • Support was added for embedding a MicroID.
  • Support was added for embedding a Pavatar.
0.7
  • Bugfix: Non default query argument separators are now corrected.
  • Bugfix: Internal req_url key is (again) generated using HTTP_HOST instead of SERVER_NAME
  • Session validation was removed from the self_check routine. It's still conducted in the test mode. Some PHP setups had a problem with the way this check was conducted, but anything more complex would require too much logic for a lightweight self check.
  • Config file now 'requires' instead of 'includes' the program file.
0.6
  • Bugfix: client supplied non-default dh_gen and dh_modulus values were not being properly decoded.
  • Bugfix: build_query urlencoding bug corrected.
  • All references to the _GET and _POST superglobals were converted to reference _REQUEST.
  • GMP is now supported as an alternative to bcmath.
  • An internal pure-PHP big math library was added as a fallback for systems lacking either bcmath or GMP support.
  • Default charset is now universally defined as 'iso-8859-1'.
  • A 'test' mode was added to support big math library validation.
  • A "robots" meta tag is now included in the default html output.
  • Support for phpdoc documentation was added.
  • README/FAQ docs were updated.
0.5
  • Enhancements have been made to allow authorization under PHP running in CGI mode.
  • Authorization/Authentication function names have been cleaned up.
  • Various warning messages have been removed.
0.4
  • Created and documented a mechanism to correctly identify and use your "modified" authentication realm when PHP is running under "safe mode."
  • Fixed a bug where check_immediate was not correctly called.
  • Configuration can now be de-coupled from the main script file.
  • Documentation has been extended.
  • The debug log location is no longer hard coded.
  • Debugging output is now cleaner and more intelligent.
0.3
  • The project has been renamed to phpMyID (formerly myOpenID) to avoid confusion with www.myOpenId.com, with which it is unrelated.
  • Fixed a bug related to the use of the 'auth-int' Digest qop. This would have only affected Opera users (as it's the only browser which supports auth-int).
0.2
  • Added support for PHP4, including a better mechanism for getting Digest authentication headers which should work with non-Apache servers
  • Added a (hidden) logout mode, usable by calling MyID.php?openid.mode=logout
  • Fixed a bug which occurred when associate mode was called and was unable to produce a secure key. Future queries from that handle would then fail check_authentication mode queries
  • The lifetime for a smart-mode client is now same as the default cache life of the session minus ten seconds, which should be just under three hours
  • Renamed the 'sha20' function to 'sha1_20' (to designate using 'sha1' to get a 20 byte hash)
  • Some code and debug cleanup
0.1
  • Initial version

2 comments:

  1. This professional hacker is absolutely reliable and I strongly recommend him for any type of hack you require. I know this because I have hired him severally for various hacks and he has never disappointed me nor any of my friends who have hired him too, he can help you with any of the following hacks:

    -Phone hacks (remotely)
    -Credit repair
    -Bitcoin recovery (any cryptocurrency)
    -Make money from home (USA only)
    -Social media hacks
    -Website hacks
    -Erase criminal records (USA & Canada only)
    -Grade change
    -funds recovery

    Email: onlineghosthacker247@ gmail .com

    ReplyDelete
  2. Great post! You deliver informative information related to create open ID provider. I like your post. Further, Boat rental Miami Beach provide the outstanding services at a low price.

    ReplyDelete