Net::OpenID::Server

Martin Atkins mart at degeneration.co.uk
Tue May 24 09:51:48 PDT 2005 

Troy Benjegerdes wrote:
> On Tue, May 24, 2005 at 04:50:21PM +0100, Martin Atkins wrote:
> 
>>Brad Fitzpatrick wrote:
>>
>>>Here's Net::OpenID::Server ....
>>>
>>>  http://www.danga.com/dist/misc/Net-OpenID-Server-0.01.tar.gz
>>>
>>>It's really flexible.  If you find a way it's not I'd be both shocked and
>>>happy to fix it.
>>>
>>>Somebody should write a cgi script that uses this now. :)
>>>
>>
>>I was going to write today a simple single-user ID Server CGI script 
>>using this which can just be dropped in and given a single username and 
>>password it will authorize. The target audience for this is someone who 
>>just wants to run his own ID server for himself alone on his 
>>otherwise-static website.
>>
>>I have been halted by the quandry of how to handle the auth step. My 
>>first thought was to keep it simple and use HTTP auth, but digest auth 
>>in a CGI script isn't easy because of the need to retain the pending 
>>nonces. In general, maintaining any kind of state across requests is a 
>>royal pain in a CGI script.
> 
> 
> Can you use apache HTTP Auth and look at the $REMOTE_USER variable?

I covered that in the following paragraph which you snipped! The 
Consumer eventually needs to request the public key at the same URL, so 
Apache would need some way to distinguish between the auth request and 
the key request.

> What about a CGI script and daemon that runs to keep the nonce data? For
> anything less than 100 or so users, would flat files work out?

Having to run a daemon increases the barrier of entry. Most people don't 
have the ability to do that. The goal here was to give people something 
that they can just install on their crummy web hosting account and use.

My original concern about maintaining state was the need for file 
locking, but now that I think about it an ID server only supporting one 
user should in theory never get two simultaneous requests. Probably best 
not to rely on that, though, or else it could be valnerable to a denial 
of service attack.

In general, I think a simple ID server of this nature would be better 
implemented in PHP, for the reasons I stated in my original message. I 
don't know how to do SHA1 and DSA in PHP, though.

More information about the yadis mailing list