Progress and some thoughts

Martin Atkins mart at
Wed Jun 22 06:19:13 PDT 2005

meepbear * wrote:
>> So-called "tarpitting" of servers is always a concern, but the current
>> OpenID implementations work around it by using a "paranoid" user-agent
>> library which has a realistic but quite short timeout on the whole
>> request.
>> If your ID server has a slow enough connection that it takes longer than
>> the timeout then unfortunately you lose. Your only recourse is to put
>> your identity server on a more sensible connection or make use of
>> someone else's identity services. Since the identity URL and the
>> identity service that asserts it are separate, one can switch between
>> identity services at will.
> It only changes the way you exploit it, but doesn't eliminate it since
> the consumer has to make several initial requests. If the timeout is 5
> seconds and the redirection limit is 1 they could simply delay answering
> each request by 4-5 seconds.
> First request comes in, I issue a redirect. The consumer follows the
> redirect, I give it an openid.delegate. It goes to the delegate, I hand
> it another redirect. It follows the redirect, I hand it an
> openid.server. Finally it contacts the server.
> That's still 20-25 seconds someone could stall each instance of a consumer.

In the case of LWPx::ParanoidAgent (which is the library I was
describing in my earlier message), the timeout is a hard timeout for the
entire transaction, including redirects. In the above scenario, the
delay would be five seconds per request. The delegate request would be
one further request, also with a five second timeout. This would keep
one consumer process busy (though really it's just "blocked", so not
doing a great deal of harm) for a maximum of ten seconds.

Regardless of all this, I don't really see how it can be avoided. The
impact should be minimal anyway.

> And there's a webclient library? That would have made things easier
> since I ended up having to implement a basic HTTP client in PHP from
> scratch :).

There isn't one for PHP yet. LWPx::ParanoidAgent is a perl module. I
suspect similar principles could be applied in PHP land, though; I'm not
much of a PHP person, so I don't know.

I'm sure at some point someone will write a "paranoid" client library
for doing OpenID in PHP. Hopefully they'll make it generic, as I suspect
this would be useful in other applications beyond OpenID.

More information about the yadis mailing list