My OpenID status update

Brad Fitzpatrick brad at danga.com
Wed May 18 21:01:29 PDT 2005 

Things I'm working on:

-- LWPx::ParanoidAgent.  A subclass of LWP::UserAgent so it's a
   drop-in replacement for LWP::UserAgent in any case.  LiveJournal has
   used something like it for years, but it's called "SafeAgent" and it's
   not a subclass, so that's sometimes annoying.  My ParanoidAgent will be
   released on CPAN in the next couple days. It prevents:
   malicious/accidental tarpitting using absolute max time (better than
   LWP's timeout parameter, and not using non-portable signals), not
   connecting to private/loopback/multicast addresses, and configurable
   lists of strings/regexps of hosts not to connect to.  (your internal
   addresses/hostnames)

-- OpenID::Consumer library to use a configurable UserAgent (or
   fall back to LWP::UserAgent) to fetch claimed identity URLs off the
   net, do auto-discovery, and return a OpenID::ClaimedIdentity object
   with the final URL found (if following redirects, safely).  From that,
   you can generate return-to URLs based on your base return-to address
   and parameters.  It'll also have a hook you can set so your own logic
   can choose the OpenID server if the client has declared multiple.
   It'll default to the first.

   The OpenID::Consumer object has a configurable cacher attribute
   to cache the mapping from claimed URL to declared OpenID servers.
   Because when you get the return_to HTTP hit, you have to verify
   the server hitting you is one of the declared OpenID servers, and
   not a rogue site that's just returning (with a valid signature!)
   and claiming to be a user, even though that user doesn't trust that
   server.  The default will be no caching (has to refetch from network),
   but a filesystem cacher will be included.

       my $csr = OpenID::Consumer->new;
       $csr->cacher(OpenID::Cacher::FileSystem->new(Dir => "/var/openid/"));

   So you can make your own database-backed cacher.

   The library will also then validate signatures once you get the
   returned response.

-- OpenID::Server library, similarly extensible, to do the reverse.  The
   current LiveJournal server code will be changed to use this.

-- documentation on the website

-- LiveJournal client support, so DeadJournal users (or
   whoever) can reply to LJ posts with auth.  This is where things get
   fun.


- Brad

More information about the yadis mailing list