pp at myelin.co.nz
Tue May 24 13:56:08 PDT 2005
On Tue, May 24, 2005 at 04:50:21PM +0100, Martin Atkins wrote:
> Brad Fitzpatrick wrote:
> >Here's Net::OpenID::Server ....
> > http://www.danga.com/dist/misc/Net-OpenID-Server-0.01.tar.gz
> >It's really flexible. If you find a way it's not I'd be both shocked and
> >happy to fix it.
> >Somebody should write a cgi script that uses this now. :)
> I was going to write today a simple single-user ID Server CGI script
> using this which can just be dropped in and given a single username and
> password it will authorize. The target audience for this is someone who
> just wants to run his own ID server for himself alone on his
> otherwise-static website.
I'm most of the way there in PHP at http://dev.myelin.co.nz/openid.php
- calling out to /usr/bin/openssl to do the heavy lifting and storing
the keys in files in a private directory.
For authentication to the ID server, it just presents a login form and
sets a flag in the PHP session once the user is logged in.
It was working with http://www.danga.com/openid/demo/demo.html before
the demo started checking signatures, but now the signature check
fails; I expect I'm doing something dumb and generating the signature
the wrong way.
One concern about this is that for the web server to be able to sign
requests, it has to be able to get at the private key. If this is run
on a shared host, other users on that host are likely to be able to
read the key as well. So while it helps make things more
*distributed*, it's not necessarily more *secure* - although some sort
of setuid wrapper would fix this, I suppose.
More information about the yadis