Project Still Active?

Discussion related to the Open ID Provider Server written published by Packetizer.
rgeorge
Posts: 2
Joined: Tue Feb 21, 2012 6:47 pm
Contact:

Project Still Active?

Post by rgeorge »

Hi,
I wanted to first tell you guys that your implementation of an OpenID Provider server is the best I've found. In reality, it seems to be the only one that actually works.

I have done several modifications to the code to support some extra extensions, such as RP discovery (for checking verified return_to urls, and implementing the ui icon extension). I have also partially implemented the sreg, and attribute exchange extensions.

I would like to know if you have an existing rcm repository that I could commit my changes to, or if I should just fork the project and setup a new repository.
User avatar
paulej
Posts: 595
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: Project Still Active?

Post by paulej »

I was the one who wrote the Packetizer OpenID Server, so I certainly appreciate the kind words! The project is "active" in the sense that I add stuff whenever I get time. I've certainly not abandoned the code, but since it has been stable and served my purpose, I haven't had to touch it in a while.

The only source repository is actually on my LAN, nothing out in the public. I have everything checked into an SVN repository, but it doesn't do anybody else any good, obviously.

The server code is now version 1.8, but I haven't made any changes in a long time. Some of the changes I have considered include:
  • Adding code to allow users to create or manage their own accounts (this was left as an exercise for the admin)
  • Allowing users to provide certain types of information that might be returned back via sreg (so glad to see you did it!)
  • Ability to have the server set cookies that can be used on other services within the user's own domain (e.g., within packetizer.com) that can be authenticated against. That is, I want to be able to log into the OpenID server and then gain access to all serves within *.packetizer.com to which I have access, thus avoiding the need to use OpenID for "internal" services, but exposing a simpler interface between services that I can trust due to the fact that it's controlled communication "back channels". I understand people's fear of cookies, but they could be set only as session cookies, etc. It ought to be configurable.
In any case, I'm delighted to see you've taken interest to move the project forward. Since I don't have a formal repository, I think it would be great if you wanted to take a fork of 1.8 and create a repository somewhere. If you would be so kind as to give me check-in privilege so I can make changes (if I have time), that would be wonderful.

If you want to talk on the phone about this a bit more, send me an email.

Paul
OhReally
Posts: 5
Joined: Fri Feb 24, 2012 8:58 pm
Location: Netherlands
Contact:

Re: Project Still Active?

Post by OhReally »

Hi both,

Please post any information on this in this thread.

I'm about to install this server (it seems like it's the only freely downloadable OpenID server available), and I'm taking notes. If the installation works, I'd like to try and create a FreeBSD port out of it.
(My challenge in this will be to enable multiple virtual hosts to run on the same code base, which is something that's missing from all ports-based web applications on FreeBSD.)

Thanks,
Rob
User avatar
paulej
Posts: 595
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: Project Still Active?

Post by paulej »

Not to discourage you, but there are several freely available servers. See:
http://wiki.openid.net/w/page/12995226/ ... y%20server

Unfortunately, I'm not familiar with a BSD "Ports" project. Unfortunate name, since we all know what a "port" is, but not "Ports" ;-)
OhReally
Posts: 5
Joined: Fri Feb 24, 2012 8:58 pm
Location: Netherlands
Contact:

Re: Project Still Active?

Post by OhReally »

Paul,

Try and follow the links on that page...
I was about to give up when I stumbled upon this site; I really thought OpenID development had died. (And to be honest: judging from your reaction on rgeorge's post, I think you did as well).

And about the term 'ports': never heard of 'porting software'?
User avatar
paulej
Posts: 595
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: Project Still Active?

Post by paulej »

I've heard of porting software, the "BSD Ports and Packages Collection" is referred to as a "simple way for users and administrators to install applications". It does not sound like porting software. For sure, there is really nothing to port to get the Packetizer OpenID server to work on BSD. It's all written in Perl and works with the Apache web server, both of which run on BSD, I'm sure.

My reaction to rgeorge was one of amazement, because he paid such a high compliment. :)

I wrote the OpenID server we use on Packetizer (and available http://www.packetizer.com/security/openid/), so what he said was a really nice thing to say. He could equally have come along and said it was a piece of crap and ... well, you get the idea.

While I clearly cannot say my code is the best out there, I can say it best met my needs. I evaluated several packages, but none offered the integration I wanted with Packetizer. So, I just wrote my own. It was fun to do, too.

Anyway, I do not know how much development there in on OpenID. I've not touched the server code in a while because it has been working for me. rgeorge would like to add new features, so he's setting up a project at SourceForge. I welcome that and would be happy to contribute and help test the changes.

All that said, OpenID has had some mixed success. I really like OpenID, but people complain about the complexity. Thus, we have things like OpenID Connect appearing. Personally, I like the OpenID model, but would only recommend simplifying a few things. Still, it only took me a day to write the server code. It's not that complex. It just looks like it on the surface. The client side is a bit more complex, though, because the standard allows for the user's OpenID server to be specified via a Yadis link relation in the HTTP header and link relations buried in the HTML page of the user's OpenID URL. Many people do not know how to add headers to HTTP, so clients have to look at the HTML. Many people do not write properly formed HTML, so hunting down the values can be painful for the client. In my opinion, that's the worst part. Once we're past that, then it's really just a matter of establishing a security association behind the scenes, and that's not that hard. The same has to be done with OAuth, too.

Webfinger may actually serve to make OpenID easier to use, because well-defined and well-structured XML and JSON objects can be used to determine the user's OpenID server.
OhReally
Posts: 5
Joined: Fri Feb 24, 2012 8:58 pm
Location: Netherlands
Contact:

Re: Project Still Active?

Post by OhReally »

The BSD ports collection is a collection of Makefiles that download the software source code, download and install any dependencies, patch the software if necessary, compile the software if necessary, and then install everything into the right place (in BSD, web apps go in /usr/local/www/, documentation in /usr/local/share/doc/, etc.). Paths for all installed files are recorded in a database to enable de-installation. Dependencies are also recorded to enable recursive updates or de-installs.

You are correct in that the software won't need much patching. The Perl module URI::Escape is not part of the ports collection, but URI::Escape::XS is; so I'll be changing that, as I prefer to only depend on ports (because of recursive updates).
And at a later stage I may make some changes to enable serving OpenID for multiple virtual domains from 1 code base; I have some ideas about that. But before I do that, I'll consult you guys first, as you may wish to include this in the software itself to not make this BSD-specific.

So, is there any news on a SourceForge or other repo, yet?

I won't need commit access, BTW. The files that make up the port will be included in the FreeBSD repository.
On the other hand: I speak some Perl, I have been involved in some open source projects, and I have a SourceForge account (and GitHub, and Gitorious, etc.), so I won't mind having commit access.
User avatar
paulej
Posts: 595
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: Project Still Active?

Post by paulej »

All of the code could be shared on multiple sites, except openid_config.pl. If there was a way to load the config from a file or a database for each virtual domain, I think you'd be 99% of the way there.

There is something up on Source Forge now:
https://sourceforge.net/projects/openidserver/

We've not made a plan to go attack anything in particular, yet, but it's there.

Paul
OhReally
Posts: 5
Joined: Fri Feb 24, 2012 8:58 pm
Location: Netherlands
Contact:

Re: Project Still Active?

Post by OhReally »

A specific config file could be loaded by using this in the Apache config:

Code: Select all

SetEnv PERL5LIB "/websites/example.org/lib:/usr/local/www/openidserver/lib"
These directories are prepended to the list of directories to be searched for libraries, and the first match is used.

On a shared host, each user usually has their own database, so the database config should also be personalizable.
Also, cheaper hosting accounts often have only 1 database; to not confuse database tables or have name clashes, all tables should have configurable prefixes (so all tables for openidserver are prefixed 'openid_', or 'oid_', or 'ois_', or whatever).
Then, all HTML should be separated from functionality; probably by putting all HTML files (templates, index.html and error page) in the vhost directory, and using ScriptAlias to point at the .cgi files.
And maybe some more... :)
OhReally
Posts: 5
Joined: Fri Feb 24, 2012 8:58 pm
Location: Netherlands
Contact:

Re: Project Still Active?

Post by OhReally »

I do need releases, by the way. There should be 1 archive that I can point my Makefile at; ports makefiles won't harvest from CVS, SVN, GIT, or whatever the next SCM hype may be.
Locked