OpenID to LID Proxy

Martin Atkins mart at degeneration.co.uk
Thu May 26 11:52:58 PDT 2005


Martin Atkins wrote:
> 
> I've created an OpenID to LID proxy which lets anyone with a LID server 
> running log into an OpenID site -- in theory, at least.
> 
[snip!]
 >
> I think there's a glaring security hole in this thing right now, but I'm 
> having trouble getting my head around it to figure out if it's there or 
> not.

Okay. It's now fixed as follows:
* It fetches the OpenID Identity page like a consumer would and ensures 
that it does indeed reference the right LID server before it starts. It 
then records a ticket containing a unique ID and the identity URL and 
sends the browser off to the LID URL.
* When the user comes back again, the proxy looks up the ticket ID and 
makes sure that the URL matches. If so, and if the identity URL is still 
referencing the right LID server, it'll generate its own signature and 
send it off to the OpenID consumer.

There's also a 5 minute timeout on tickets. To prevent users from 
randomly hitting different ticket IDs in the hope that one will work, 
the ticket must also contain the correct URL.

These measures should ensure that no-one gets erroneously authorized by 
a misbehaving LID server. However, goathack is still a shared machine 
and I'm tracking my sessions in a memcached instance which is accessible 
to all users of it, so you should still be a little weary of it.

It should be safe if you run your own copy, however. You will need 
memcached for the moment, though that was really just because I was too 
lazy to set up a database for it and memcached's an easy place to shove 
temporary objects with expiry. I'll clean it up later.

You can still read the source:
     <http://goathack.livejournal.org:9016/lidoid.txt>


(Brad: is there any way to make memcached bind to a FIFO or UNIX socket 
rather than a TCP socket?)



More information about the yadis mailing list