Packetizer Forums: OpenID Provider Server2018-07-25T14:09:25ZPacketizer Forumshttps://forums.packetizer.com/webmaster@packetizer.comhttps://forums.packetizer.com/feeds/?f=73Copyright (C) 2018 Packetizer, Inc. All Rights Reserved.Packetizer ATOM/RSS Feed Generatorhttps://www.packetizer.com/rss/images/packetizer.pnghttps://forums.packetizer.com/images/packetizer_icon.pngpaulejRe: Project Still Active?https://forums.packetizer.com/viewtopic.php?f=73&t=236&p=2611#p26112018-07-25T14:09:25Z2018-07-25T14:09:25Z<div>The current OpenID code is largely frozen. I would fix a security issue if discovered, but otherwise it's not changing. It works with what few sites still use OpenID. The issue is that people are now moving to OpenID Connect. I don't personally have a project related to OpenID Connect.</div>dimkarRe: any other earlier versions than 1.8 available?https://forums.packetizer.com/viewtopic.php?f=73&t=274&p=766#p7662012-07-10T05:44:10Z2012-07-10T05:44:10Z<div>You are probably right.... maybe outside the DMZ...on the firewall place.<br/>
<br/>
Anyways thanks for the good product.</div>paulejRe: any other earlier versions than 1.8 available?https://forums.packetizer.com/viewtopic.php?f=73&t=274&p=765#p7652012-07-10T04:43:55Z2012-07-10T04:43:55Z<div>That might be useful, but the challenge is coming up with a mechanism that works.<br/>
<br/>
For example, we could not simply use cookies to keep a count, since hacker would not return that cookie.<br/>
<br/>
We could try to keep a count by IP address, but distributed bot nets would be able to use a bunch of addresses. Also, we would not want to lock out any address for an inordinate amount of time, since a person might make a mistake and enter the wrong password n times. (I probably would.)<br/>
<br/>
We could put in some artificial delay for failed logins, but attackers can detect this and immediately send another request.<br/>
<br/>
I can see ways to try to thwart attackers, but I can find ways attackers can get around it. So, I'm not sure if a good solution exists. I do know I don't have time to try to prevent it. :-)<br/>
<br/>
People try to get into my machines using SSH attacks all the time. I cannot prevent them, but I do monitor the activity and I block IP addresses if somebody tries more than a certain number of times and fails. If I saw my OpenID server attacked, I would do the same thing. It's not clear where the abuse prevention code should reside, but I'd personally run it outside, because I will block subsequent requests before they even hit the web server.</div>dimkarRe: any other earlier versions than 1.8 available?https://forums.packetizer.com/viewtopic.php?f=73&t=274&p=764#p7642012-07-09T10:08:18Z2012-07-09T10:08:18Z<div>Hi paulej<br/>
thanks for the reply<br/>
<br/>
Actually I do mean the system itself to allow the user to try n times on the logon process and not repeatedly to avoid fake login bots or dos attacks.<br/>
<br/>
thanks<br/>
Dimitrios</div>paulejRe: any other earlier versions than 1.8 available?https://forums.packetizer.com/viewtopic.php?f=73&t=274&p=763#p7632012-07-05T15:50:35Z2012-07-05T15:50:35Z<div><QUOTE author="dimkar"><s>[quote="dimkar"]</s>Hi paulej<br/>
<br/>
Congratulations for the implementation of the openid server, the only one that really works!!</blockquote>
Thanks! Glad you like it. :-)<br/>
<br/>
<QUOTE author="dimkar"><s>[quote="dimkar"]</s>
I am wondering whether there is an earlier distro publicly available with all the features discussed in the previous threads.</blockquote>
I have not personally done any work on the server, but a new open source project was forked from the code I originally wrote:<br/>
<a href="http://sourceforge.net/projects/openidserver/">http://sourceforge.net/projects/openidserver/</a><br/>
<QUOTE author="dimkar"><s>[quote="dimkar"]</s>
Another interesting feature would be to allow a user to try n (say 3) times on logon process.</blockquote>
I think it allows the user to try repeatedly. You want to limit the number of tries? The cancel button allows the user to escape anytime.<br/>
<QUOTE author="dimkar"><s>[quote="dimkar"]</s>
.my previous post was held for approval or gone?</blockquote>
It is deleted now :-) A few of us approve new postings from new people to keep spam down on the site.</div>dimkarany other earlier versions than 1.8 available?https://forums.packetizer.com/viewtopic.php?f=73&t=274&p=762#p7622012-07-05T06:53:42Z2012-07-05T06:53:42Z<div>Hi paulej<br/>
<br/>
Congratulations for the implementation of the openid server, the only one that really works!!<br/>
<br/>
I am wondering whether there is an earlier distro publicly available with all the features discussed in the previous threads.<br/>
<br/>
Another interesting feature would be to allow a user to try n (say 3) times on logon process.<br/>
<br/>
<br/>
thanks in advance,<br/>
Dimitrios<br/>
<br/>
.my previous post was held for approval or gone?</div>rgeorgeRe: Project Still Active?https://forums.packetizer.com/viewtopic.php?f=73&t=236&p=684#p6842012-03-17T17:58:58Z2012-03-17T17:58:58Z<div>Just wanted to chime in real quick.<br/>
Everything is in sourceforge right now, including my changes. I have discovered some minor bugs relating to sreg and attribute exchange that need to be fixed before I post a release that includes my changes. (The trunk code works, but sometimes sreg and attribute exchange will not be sent when it should.)<br/>
I will upload a release for the packetizer version in the next day or so, and hopefully shortly after that I will post a new release to include my changes.</div>paulejRe: Project Still Active?https://forums.packetizer.com/viewtopic.php?f=73&t=236&p=676#p6762012-03-16T12:29:27Z2012-03-16T12:29:27Z<div>OhReally, I agree with your comments. Are you interested in helping with the project?</div>ohreallyRe: Project Still Active?https://forums.packetizer.com/viewtopic.php?f=73&t=236&p=655#p6552012-02-29T20:11:14Z2012-02-29T20:11:14Z<div>I do need releases, by the way. There should be 1 archive that I can point my Makefile at; ports makefiles won't harvest from CVS, SVN, GIT, or whatever the next SCM hype may be.</div>ohreallyRe: Project Still Active?https://forums.packetizer.com/viewtopic.php?f=73&t=236&p=654#p6542012-02-29T20:02:50Z2012-02-29T20:02:50Z<div>A specific config file could be loaded by using this in the Apache config:<br/>
<CODE><s>[code]</s>SetEnv PERL5LIB "/websites/example.org/lib:/usr/local/www/openidserver/lib"[/code]</CODE>
These directories are prepended to the list of directories to be searched for libraries, and the first match is used.<br/>
<br/>
On a shared host, each user usually has their own database, so the database config should also be personalizable.<br/>
Also, cheaper hosting accounts often have only 1 database; to not confuse database tables or have name clashes, all tables should have configurable prefixes (so all tables for openidserver are prefixed 'openid_', or 'oid_', or 'ois_', or whatever).<br/>
Then, all HTML should be separated from functionality; probably by putting all HTML files (templates, index.html and error page) in the vhost directory, and using ScriptAlias to point at the .cgi files.<br/>
And maybe some more... :)</div>paulejRe: Project Still Active?https://forums.packetizer.com/viewtopic.php?f=73&t=236&p=653#p6532012-02-29T19:34:57Z2012-02-29T19:34:57Z<div>All of the code could be shared on multiple sites, except openid_config.pl. If there was a way to load the config from a file or a database for each virtual domain, I think you'd be 99% of the way there.<br/>
<br/>
There is something up on Source Forge now:<br/>
<a href="https://sourceforge.net/projects/openidserver/">https://sourceforge.net/projects/openidserver/</a><br/>
<br/>
We've not made a plan to go attack anything in particular, yet, but it's there.<br/>
<br/>
Paul</div>ohreallyRe: Project Still Active?https://forums.packetizer.com/viewtopic.php?f=73&t=236&p=652#p6522012-02-29T17:21:21Z2012-02-29T17:21:21Z<div>The BSD ports collection is a collection of Makefiles that download the software source code, download and install any dependencies, patch the software if necessary, compile the software if necessary, and then install everything into the right place (in BSD, web apps go in /usr/local/www/, documentation in /usr/local/share/doc/, etc.). Paths for all installed files are recorded in a database to enable de-installation. Dependencies are also recorded to enable recursive updates or de-installs.<br/>
<br/>
You are correct in that the software won't need much patching. The Perl module URI::Escape is not part of the ports collection, but URI::Escape::XS is; so I'll be changing that, as I prefer to only depend on ports (because of recursive updates).<br/>
And at a later stage I may make some changes to enable serving OpenID for multiple virtual domains from 1 code base; I have some ideas about that. But before I do that, I'll consult you guys first, as you may wish to include this in the software itself to not make this BSD-specific.<br/>
<br/>
So, is there any news on a SourceForge or other repo, yet?<br/>
<br/>
I won't need commit access, BTW. The files that make up the port will be included in the FreeBSD repository.<br/>
On the other hand: I speak some Perl, I have been involved in some open source projects, and I have a SourceForge account (and GitHub, and Gitorious, etc.), so I won't mind having commit access.</div>paulejRe: Project Still Active?https://forums.packetizer.com/viewtopic.php?f=73&t=236&p=648#p6482012-02-25T01:57:31Z2012-02-25T01:57:31Z<div>I've heard of porting software, the "BSD Ports and Packages Collection" is referred to as a "simple way for users and administrators to install applications". It does not sound like porting software. For sure, there is really nothing to port to get the Packetizer OpenID server to work on BSD. It's all written in Perl and works with the Apache web server, both of which run on BSD, I'm sure.<br/>
<br/>
My reaction to rgeorge was one of amazement, because he paid such a high compliment. :)<br/>
<br/>
I wrote the OpenID server we use on Packetizer (and available <a href="http://www.packetizer.com/security/openid/">http://www.packetizer.com/security/openid/</a>), so what he said was a really nice thing to say. He could equally have come along and said it was a piece of crap and ... well, you get the idea.<br/>
<br/>
While I clearly cannot say my code is the best out there, I can say it best met my needs. I evaluated several packages, but none offered the integration I wanted with Packetizer. So, I just wrote my own. It was fun to do, too.<br/>
<br/>
Anyway, I do not know how much development there in on OpenID. I've not touched the server code in a while because it has been working for me. rgeorge would like to add new features, so he's setting up a project at SourceForge. I welcome that and would be happy to contribute and help test the changes.<br/>
<br/>
All that said, OpenID has had some mixed success. I really like OpenID, but people complain about the complexity. Thus, we have things like OpenID Connect appearing. Personally, I like the OpenID model, but would only recommend simplifying a few things. Still, it only took me a day to write the server code. It's not that complex. It just looks like it on the surface. The client side is a bit more complex, though, because the standard allows for the user's OpenID server to be specified via a Yadis link relation in the HTTP header and link relations buried in the HTML page of the user's OpenID URL. Many people do not know how to add headers to HTTP, so clients have to look at the HTML. Many people do not write properly formed HTML, so hunting down the values can be painful for the client. In my opinion, that's the worst part. Once we're past that, then it's really just a matter of establishing a security association behind the scenes, and that's not that hard. The same has to be done with OAuth, too.<br/>
<br/>
Webfinger may actually serve to make OpenID easier to use, because well-defined and well-structured XML and JSON objects can be used to determine the user's OpenID server.</div>ohreallyRe: Project Still Active?https://forums.packetizer.com/viewtopic.php?f=73&t=236&p=647#p6472012-02-25T00:06:43Z2012-02-25T00:06:43Z<div>Paul,<br/>
<br/>
Try and follow the links on that page...<br/>
I was about to give up when I stumbled upon this site; I really thought OpenID development had died. (And to be honest: judging from your reaction on rgeorge's post, I think you did as well).<br/>
<br/>
And about the term 'ports': never heard of 'porting software'?</div>paulejRe: Project Still Active?https://forums.packetizer.com/viewtopic.php?f=73&t=236&p=646#p6462012-02-24T23:30:40Z2012-02-24T23:30:40Z<div>Not to discourage you, but there are several freely available servers. See:<br/>
<a href="http://wiki.openid.net/w/page/12995226/Run%20your%20own%20identity%20server">http://wiki.openid.net/w/page/12995226/Run%20your%20own%20identity%20server</a><br/>
<br/>
Unfortunately, I'm not familiar with a BSD "Ports" project. Unfortunate name, since we all know what a "port" is, but not "Ports" ;-)</div>ohreallyRe: Project Still Active?https://forums.packetizer.com/viewtopic.php?f=73&t=236&p=645#p6452012-02-24T21:20:55Z2012-02-24T21:20:55Z<div>Hi both,<br/>
<br/>
Please post any information on this in this thread.<br/>
<br/>
I'm about to install this server (it seems like it's the only freely downloadable OpenID server available), and I'm taking notes. If the installation works, I'd like to try and create a <a href="http://www.freebsd.org/ports/index.html"><s>[url=http://www.freebsd.org/ports/index.html]</s>FreeBSD port[/url]</a> out of it.<br/>
(My challenge in this will be to enable multiple virtual hosts to run on the same code base, which is something that's missing from all ports-based web applications on FreeBSD.)<br/>
<br/>
Thanks,<br/>
Rob</div>paulejRe: Project Still Active?https://forums.packetizer.com/viewtopic.php?f=73&t=236&p=641#p6412012-02-23T01:24:07Z2012-02-23T01:24:07Z<div>I was the one who wrote the Packetizer OpenID Server, so I certainly appreciate the kind words! The project is "active" in the sense that I add stuff whenever I get time. I've certainly not abandoned the code, but since it has been stable and served my purpose, I haven't had to touch it in a while.<br/>
<br/>
The only source repository is actually on my LAN, nothing out in the public. I have everything checked into an SVN repository, but it doesn't do anybody else any good, obviously.<br/>
<br/>
The server code is now version 1.8, but I haven't made any changes in a long time. Some of the changes I have considered include:
<LIST><s>[list]</s>
<LI><s>[*]</s>Adding code to allow users to create or manage their own accounts (this was left as an exercise for the admin)</LI>
<LI><s>[*]</s>Allowing users to provide certain types of information that might be returned back via sreg (so glad to see you did it!)</LI>
<LI><s>[*]</s>Ability to have the server set cookies that can be used on other services within the user's own domain (e.g., within packetizer.com) that can be authenticated against. That is, I want to be able to log into the OpenID server and then gain access to all serves within *.packetizer.com to which I have access, thus avoiding the need to use OpenID for "internal" services, but exposing a simpler interface between services that I can trust due to the fact that it's controlled communication "back channels". I understand people's fear of cookies, but they could be set only as session cookies, etc. It ought to be configurable.</LI>[/list]</LIST>
In any case, I'm delighted to see you've taken interest to move the project forward. Since I don't have a formal repository, I think it would be great if you wanted to take a fork of 1.8 and create a repository somewhere. If you would be so kind as to give me check-in privilege so I can make changes (if I have time), that would be wonderful.<br/>
<br/>
If you want to talk on the phone about this a bit more, send me an email.<br/>
<br/>
Paul</div>rgeorgeProject Still Active?https://forums.packetizer.com/viewtopic.php?f=73&t=236&p=639#p6392012-02-22T20:44:44Z2012-02-22T20:44:44Z<div>Hi,<br/>
I wanted to first tell you guys that your implementation of an OpenID Provider server is the best I've found. In reality, it seems to be the only one that actually works.<br/>
<br/>
I have done several modifications to the code to support some extra extensions, such as RP discovery (for checking verified return_to urls, and implementing the ui icon extension). I have also partially implemented the sreg, and attribute exchange extensions.<br/>
<br/>
I would like to know if you have an existing rcm repository that I could commit my changes to, or if I should just fork the project and setup a new repository.</div>rodssmithRe: linking my openid identity to facebook failedhttps://forums.packetizer.com/viewtopic.php?f=73&t=118&p=560#p5602011-11-30T07:03:38Z2011-11-30T07:03:38Z<div>Hey Sankar, did you get the solution of your problem with facebook!!!</div>rodssmithRe: linking my openid identity to facebook failedhttps://forums.packetizer.com/viewtopic.php?f=73&t=118&p=490#p4902011-10-01T10:21:09Z2011-10-01T10:21:09Z<div>logging into Facebook via OpenID is always works, and i use this regularly and i have never faced this kind of problem.<br/>
Thanks 8-)</div>paulejRe: linking my openid identity to facebook failedhttps://forums.packetizer.com/viewtopic.php?f=73&t=118&p=333#p3332011-03-03T08:01:46Z2011-03-03T08:01:46Z<div>And today, logging into Facebook via OpenID is working. I guess Facebook fixed their problem.</div>paulejRe: linking my openid identity to facebook failedhttps://forums.packetizer.com/viewtopic.php?f=73&t=118&p=328#p3282011-02-28T22:17:53Z2011-02-28T22:17:53Z<div>Today, it appears that Facebook now will associate properly, but one still cannot use OpenID to log in.<br/>
<br/>
So, there is progress...</div>paulejRe: linking my openid identity to facebook failedhttps://forums.packetizer.com/viewtopic.php?f=73&t=118&p=318#p3182011-02-20T19:38:56Z2011-02-20T19:38:56Z<div>Sankar,<br/>
<br/>
For the past two weeks or so, I have been getting the exact same error as you with Facebook and OpenID. It now says:<br/>
<blockquote><s></s>There was an error while processing the OpenID response. No OpenID information found at <a href="https://openid.packetizer.com/paulej">https://openid.packetizer.com/paulej</a> for method Auth_OpenID_discover</blockquote>
Yet, we changed absolutely nothing in our code and our domain was working with Facebook before and still is working perfectly well with other sites. I'm at a complete loss. Either there is a bug that Facebook introduced or they are expecting something now they did not expect before. I've looked at debug traces extensively on our side and cannot find the source of the problem. If Facebook's error reporting was more detailed as to exactly what information it could not find, it would be helpful.<br/>
<br/>
Paul<br/>
<br/>
<B><s>[b]</s>UPDATE:[/b]</B> It was brought to my attention that this issue is affecting a number of people. See these sites:<br/>
<a href="http://getsatisfaction.com/openid/topics/facebook_auto_login_not_working">http://getsatisfaction.com/openid/topics/facebook_auto_login_not_working</a><br/>
<a href="http://www.google.com/support/forum/p/apps-apis/thread?tid=309ad86045a963bb&hl=en">http://www.google.com/support/forum/p/apps-apis/thread?tid=309ad86045a963bb&hl=en</a></div>paulejRe: linking my openid identity to facebook failedhttps://forums.packetizer.com/viewtopic.php?f=73&t=118&p=307#p3072011-01-27T19:02:37Z2011-01-27T19:02:37Z<div>Sankar,<br/>
<br/>
Did you ever find a solution to this issue? We use the Packetizer OpenID server with Facebook and have never seen this error.<br/>
<br/>
Paul</div>sankarlinking my openid identity to facebook failedhttps://forums.packetizer.com/viewtopic.php?f=73&t=118&p=232#p2322011-01-05T07:28:11Z2011-01-05T07:28:11Z<div>I hosted my own openid server , when I logging to livejournal.com using my identity its working fine, <br/>
In case of linking my identity with facebook has failed. <br/>
<br/>
facebook produces the below error <br/>
<br/>
Error while processing response<br/>
There was an error while processing the OpenID response. No OpenID information found at for method Auth_OpenID_discover</div>paulejWelcome to the OpenID Provider Server forumhttps://forums.packetizer.com/viewtopic.php?f=73&t=86&p=151#p1512010-11-29T00:12:28Z2010-11-29T00:12:28Z<div>Folks,<br/>
<br/>
This forum was created to allow people to discuss the OpenID Provider Server software published by Packetizer. If you have any questions or comments about the software, feel free to post them to this forum.<br/>
<br/>
Cheers!<br/>
Paul</div>