OpenID to LID Proxy
Martin Atkins
mart at degeneration.co.uk
Thu May 26 11:52:58 PDT 2005
Martin Atkins wrote:
>
> I've created an OpenID to LID proxy which lets anyone with a LID server
> running log into an OpenID site -- in theory, at least.
>
[snip!]
>
> I think there's a glaring security hole in this thing right now, but I'm
> having trouble getting my head around it to figure out if it's there or
> not.
Okay. It's now fixed as follows:
* It fetches the OpenID Identity page like a consumer would and ensures
that it does indeed reference the right LID server before it starts. It
then records a ticket containing a unique ID and the identity URL and
sends the browser off to the LID URL.
* When the user comes back again, the proxy looks up the ticket ID and
makes sure that the URL matches. If so, and if the identity URL is still
referencing the right LID server, it'll generate its own signature and
send it off to the OpenID consumer.
There's also a 5 minute timeout on tickets. To prevent users from
randomly hitting different ticket IDs in the hope that one will work,
the ticket must also contain the correct URL.
These measures should ensure that no-one gets erroneously authorized by
a misbehaving LID server. However, goathack is still a shared machine
and I'm tracking my sessions in a memcached instance which is accessible
to all users of it, so you should still be a little weary of it.
It should be safe if you run your own copy, however. You will need
memcached for the moment, though that was really just because I was too
lazy to set up a database for it and memcached's an easy place to shove
temporary objects with expiry. I'll clean it up later.
You can still read the source:
<http://goathack.livejournal.org:9016/lidoid.txt>
(Brad: is there any way to make memcached bind to a FIFO or UNIX socket
rather than a TCP socket?)
More information about the yadis
mailing list