author | Matthew Wild <mwild1@gmail.com> |
Tue, 16 Apr 2024 12:58:08 +0100 | |
changeset 5889 | 54b451c3790c |
parent 1889 | b42eb10dc7d2 |
permissions | -rw-r--r-- |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
1 |
--- |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
2 |
labels: |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
3 |
- 'Stage-Alpha' |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
4 |
summary: Enables Prosody to act as an OpenID provider |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
5 |
... |
1786 | 6 |
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
7 |
Introduction |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
8 |
============ |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
9 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
10 |
[OpenID](http://openid.net/) is an decentralized authentication |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
11 |
mechanism for the Web. mod\_openid turns Prosody into an OpenID |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
12 |
*provider*, allowing users to use their Prosody credentials to |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
13 |
authenticate with various third party websites. |
1786 | 14 |
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
15 |
Caveats |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
16 |
======= |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
17 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
18 |
mod\_openid can best be described as a **proof-of-concept**, it has |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
19 |
known deficiencies and should **not** be used in the wild as a |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
20 |
legitimate OpenID provider. mod\_openid was developed using the Prosody |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
21 |
0.4.x series, it has not been tested with the 0.5.x or later series. |
1786 | 22 |
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
23 |
Details |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
24 |
======= |
1786 | 25 |
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
26 |
OpenID works on the basis of a user proving to a third-party they wish |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
27 |
to authenticate with, an OpenID *relaying party*, that they have claim |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
28 |
or ownership over a URL, known as an OpenID *identifier*. mod\_openid |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
29 |
uses Prosody's built in HTTP server to provide every user with an OpenID |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
30 |
identifier of the form `http://host.domain.tld[:port]/openid/user`, |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
31 |
which would be the OpenID identifier of the user with a Jabber ID of |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
32 |
`user@host.domain.tld`. |
1786 | 33 |
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
34 |
Usage |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
35 |
===== |
1786 | 36 |
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
37 |
Simply add "mod\_openid" to your modules\_enabled list. You may then use |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
38 |
the OpenID identifier form as described above as your OpenID identifier. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
39 |
The port Prosody's HTTP server will listen on is currently set as 5280, |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
40 |
meaning the full OpenID identifier of the user `romeo@montague.lit` |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
41 |
would be `http://montague.lit:5280/openid/romeo`. |
1786 | 42 |
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
43 |
Configuration |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
44 |
============= |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
45 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
46 |
mod\_openid has no configuration options as of this time. |
1786 | 47 |
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
48 |
TODO |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
49 |
==== |
1786 | 50 |
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
51 |
The following is a list of the pending tasks which would have to be done |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
52 |
to make mod\_openid fully featured. They are generally ranked in order |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
53 |
of most importance with an estimated degree of difficulty. |
1786 | 54 |
|
1889
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
55 |
1. Support Prosody 0.6.x series (**Medium**) |
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
56 |
2. Refactor code (**Medium**) |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
57 |
- The code is pretty messy at the moment, it should be refactored |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
58 |
to be more easily understood. |
1786 | 59 |
|
1889
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
60 |
3. Disable use of "user@domain" OpenID identifier form (*Easy*) |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
61 |
- This is a vestigial feature from the early design, allowing |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
62 |
explicit specification of the JID. However the JID can be |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
63 |
inferred from the simpler OpenID identifier form. |
1786 | 64 |
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
65 |
4. Use a cryptographically secure Pseudo Random Number Generator (PRNG) |
1889
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
66 |
(**Medium**) |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
67 |
- This would likely be accomplished using luacrypto which provides |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
68 |
a Lua binding to the OpenSSL PRNG. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
69 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
70 |
5. Make sure OpenID key-value pairs get signed in the right order |
1889
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
71 |
(***Hard***) |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
72 |
- It is important that the OpenID key-value responses be signed in |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
73 |
the proper order so that the signature can be properly verified |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
74 |
by the receiving party. This may be complicated by the fact that |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
75 |
the iterative ordering of keys in a Lua table is not guaranteed |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
76 |
for non-integer keys. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
77 |
|
1889
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
78 |
6. Do an actual match on the OpenID realm (**Medium**) |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
79 |
- The code currently always returns true for matches against an |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
80 |
OpenID realm, posing a security risk. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
81 |
|
1889
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
82 |
7. Don't use plain text authentication over HTTP (***Hard***) |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
83 |
- This would require some Javascript to perform a digest. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
84 |
|
1889
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
85 |
8. Return meaningful error responses (**Medium**) |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
86 |
- Most error responses are an HTTP 404 File Not Found, obviously |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
87 |
something more meaningful could be returned. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
88 |
|
1889
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
89 |
9. Enable Association (***Hard***) |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
90 |
- Association is a feature of the OpenID specification which |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
91 |
reduces the number of round-trips needed to perform |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
92 |
authentication. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
93 |
|
1889
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
94 |
10. Support HTTPS (**Medium**) |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
95 |
- With option to only allow authentication through HTTPS |
1786 | 96 |
|
1889
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
97 |
11. Enable OpenID 1.1 compatibility (**Medium**) |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
98 |
- mod\_openid is designed from the OpenID 2.0 specification, which |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
99 |
has an OpenID 1.1 compatibility mode. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
100 |
|
1889
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
101 |
12. Check specification compliance (**Medium**) |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
102 |
- Walk through the code and make sure it complies with the OpenID |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
103 |
specification. Comment code as necessary with the relevant |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
104 |
sections in the specification. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
105 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
106 |
Once all these steps are done, mod\_openid could be considered to have |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
107 |
reached "beta" status and ready to real world use. The following are |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
108 |
features that would be nice to have in a stable release: |
1786 | 109 |
|
1889
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
110 |
1. Allow users to always trust realms (***Hard***) |
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
111 |
2. Allow users to remain logged in with a cookie (***Hard***) |
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
112 |
3. Enable simple registration using a user's vCard (**Medium**) |
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
113 |
4. More useful user identity page (***Hard***) |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
114 |
- Allow users to alter what realms they trust and what simple |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
115 |
registration information gets sent to relaying parties by |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
116 |
default. |
1786 | 117 |
|
1889
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
118 |
5. OpenID Bot (***Hard***) |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
119 |
- Offers all functionality of the user identity page management |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
120 |
|
1889
b42eb10dc7d2
mod_openid/README: Convert raw HTML to emphasis
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
121 |
6. Better designed pages (*Easy*) |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
122 |
- Use semantic XHTML and CSS to allow for custom styling. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
123 |
- Use the Prosody favicon. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
124 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
125 |
Useful Links |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
126 |
============ |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
127 |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
128 |
- [OpenID Specifications](http://openid.net/developers/specs/) |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
129 |
- [OpenID on Wikipedia](http://en.wikipedia.org/wiki/OpenID) |