OpenID: For Future Authentication?

Wednesday, December 01, 2010

I don’t have any ideas, why OpenID not too familiar yet since its first existences in May 2005. As one of authentication protocol, OpenID purposed to provide a concise way to authenticated user by only entering owned domain name & dropping password field – in usual manner to support single-sign-on – (of course, user need to be self confirmed at first use in any login page). Some said that basic security protocol used by OpenID is too weak. Perhaps, this makes provider such as PayPal, Yahoo, IBM, VeriSign, Facebook & Google enhancing their own process based on its standard protocol just to make the use of OpenID more secure, but this makes OpenID not kind of universal things.

Based on my experience - by continuing my previous article – with the same topic: Single Account, Multiple Services, here’s my report about generating OpenID on your own domain name – more specific actually - in a Google Apps. You may ignore this article if you have already registering your OpenID in common provider likes ClaimID, MyOpenID, etc, but I’m afraid you’ll lose how to get this things work. And on this current article, I’d covered out.

My experience begun with my curiosity to make my owned domain name as a wide & acceptable OpenID on any login pages that support it. Based on Google API’s, the first thing I need to provide on my www folder was 2 files only; openid & host-meta file. Each of it has structures below:

openid files:
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
<CanonicalID>abc.com</CanonicalID>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/signon</Type>
<URI>https://www.google.com/a/abc.com/o8/ud?be=o8&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_request&openid.ext1.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ext1.type.country=http%3A%2F%2Faxschema.org%2Fcontact%2Fcountry%2Fhome&openid.ext1.type.language=http%3A%2F%2Faxschema.org%2Fpref%2Flanguage&openid.ext1.type.firstName=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ext1.type.lastName=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ext1.required=email%2Ccountry%2Clanguage%2CfirstName%2ClastName&openid.ns.ext2=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.ext2.icon=true</URI>
</Service>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/server</Type>
<URI>https://www.google.com/a/abc.com/o8/ud?be=o8&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_request&openid.ext1.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ext1.type.country=http%3A%2F%2Faxschema.org%2Fcontact%2Fcountry%2Fhome&openid.ext1.type.language=http%3A%2F%2Faxschema.org%2Fpref%2Flanguage&openid.ext1.type.firstName=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ext1.type.lastName=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ext1.required=email%2Ccountry%2Clanguage%2CfirstName%2ClastName&openid.ns.ext2=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fui%2F1.0&openid.ext2.icon=true</URI>
</Service>
</XRD>
</xrds:XRDS>


host-meta files:
Link: <https://www.google.com/accounts/o8/site-xrds?hd=abc.com>; rel="describedby http://reltype.google.com/openid/xrd-op"; type="application/xrds+xml"


On both files, don’t forget to replace abc.com with your domain name then upload it on your www directory. Create a directory named by .well-known & move host-meta file in it. As additional, also create (if it doesn’t exist) an index page. In my example, I also copy index.php to index.error.php. You’ll know soon why I created it.

To recognized openid file & adding error 404 forwarder functionality, create (again, if it doesn’t exist) .htaccess file like example below:

.htaccess files:
ErrorDocument 404 /index.error.php
<Files openid>
ForceType application/xrds+xml
</Files>


Now you have the same www directory structure like mine below:



Until this step, you have succeeded creating your own OpenID named with “abc.com/openid”. Test it to a page, let say a blog page. Make a comment & select OpenID identity.



Enter your OpenID “abc.com/openid”. Here below is my example:



Make a preview & submit. Your comment submitted as “openid” which has link to your domain name.



Unfortunately, now we have 2 problems arise: Why if I clicked that link, my browser continues to download this openid file? And why my identity recognized as “openid”? To solve the first problem, change openid file name on www directory to whatever you like. These changes, continues with replacing “openid” with new name on .htaccess file:

ErrorDocument 404 /index.error.php
<Files "what.ever.you.like">
ForceType application/xrds+xml
</Files>


After you changed the name, the structure changes like picture below.



After changed that, try to click again the “openid” link, and tell me what you see? The index page will show replacing downloading file process. This is the reason why we created 404 errors forwarding on .htaccess. Hence, your OpenID also changed from “abc.com/openid” into “abc.com” only. Much simpler, isn’t it?

Anyway, the last problem still unresolved – at least I tried on blogger.com. While I suspect that the blogger OpenID library does not work with Google's (Apps) discovery extensions * is my guess right? *. However, at a time, Google implemented a proof-of-concept implementation of a next-generation OpenID discovery protocol which is it’s not a “full version” yet. Even when it becomes a standard, it is not backwards compatible with the OpenID 2.0 and earlier. Hmm.. see that?



By the way, before you use your OpenID on a different authentication page, why don’t you take a test to http://www.puffypoodles.com/?. On picture above, I’d tested it just to prove that my OpenID is recognized & acceptable. The test result means that with basic OpenID authentication, it succeeded to retrieve all of possible AX (Attribute eXchange) of OpenID, including email address, home country, preferred language, first name & last name. The conclusion is, the treatment of OpenID yet is different on each authentication since it still in “growing” era going to robustness. Maybe in couple years, a standardize of OpenID will be shaped, to make authentication more secure, private & intimate.

Labels: , , ,

PS: If you've benefit from this blog,
you can support it by making a small contribution.

Enter your email address to receive feed update from this blog:

Post a Comment

 

Post a Comment

Leave comments here...