My OpenID status update
brad at danga.com
Wed May 18 21:01:29 PDT 2005
Things I'm working on:
-- LWPx::ParanoidAgent. A subclass of LWP::UserAgent so it's a
drop-in replacement for LWP::UserAgent in any case. LiveJournal has
used something like it for years, but it's called "SafeAgent" and it's
not a subclass, so that's sometimes annoying. My ParanoidAgent will be
released on CPAN in the next couple days. It prevents:
malicious/accidental tarpitting using absolute max time (better than
LWP's timeout parameter, and not using non-portable signals), not
connecting to private/loopback/multicast addresses, and configurable
lists of strings/regexps of hosts not to connect to. (your internal
-- OpenID::Consumer library to use a configurable UserAgent (or
fall back to LWP::UserAgent) to fetch claimed identity URLs off the
net, do auto-discovery, and return a OpenID::ClaimedIdentity object
with the final URL found (if following redirects, safely). From that,
you can generate return-to URLs based on your base return-to address
and parameters. It'll also have a hook you can set so your own logic
can choose the OpenID server if the client has declared multiple.
It'll default to the first.
The OpenID::Consumer object has a configurable cacher attribute
to cache the mapping from claimed URL to declared OpenID servers.
Because when you get the return_to HTTP hit, you have to verify
the server hitting you is one of the declared OpenID servers, and
not a rogue site that's just returning (with a valid signature!)
and claiming to be a user, even though that user doesn't trust that
server. The default will be no caching (has to refetch from network),
but a filesystem cacher will be included.
my $csr = OpenID::Consumer->new;
$csr->cacher(OpenID::Cacher::FileSystem->new(Dir => "/var/openid/"));
So you can make your own database-backed cacher.
The library will also then validate signatures once you get the
-- OpenID::Server library, similarly extensible, to do the reverse. The
current LiveJournal server code will be changed to use this.
-- documentation on the website
-- LiveJournal client support, so DeadJournal users (or
whoever) can reply to LJ posts with auth. This is where things get
More information about the yadis