OpenID to TypeKey Proxy

Martin Atkins mart at degeneration.co.uk
Fri May 27 07:51:46 PDT 2005 

With yesterday's LID proxy working, it didn't take much to turn it into 
a TypeKey proxy. With this TypeKey users can use it to assert OpenID 
Identities.

You just need to add this to the URL you want to use as an identity:
     <link rel="openid.server"
           href="http://goathack.livejournal.org:9016/tkoid/username" />

...where "username" is your TypeKey login name.

If you then log in to an OpenID login box it'll send you off to TypeKey 
to log in. When it gets back a correct signature (for the right 
username!) from TypeKey it'll make one of its own and send it back to 
the OpenID consumer.

Note that the flaws that initially befell my LID proxy don't apply here 
because they were related to an untrustworthy LID server. Since you 
trust TypeKey (otherwise why are you using it?) these issues do not 
apply here.

Nonetheless, all of checks from the LID proxy are still there, so if 
TypeKey does start lying about the return URL or identity logins will fail.

The only trust hole left, then, is whether you trust me! As before, I 
suggest that for now people only use this on really stupid test URLs 
that they don't care about, as it might well have bugs.

The source code to this one isn't available since part of it is based 
loosely on the TypeKey verification code from MovableType and I'm not 
allowed to distribute that. Other than the verification stuff, it's 
largely the same as the LID proxy, though with the extra check that the 
username returned from TypeKey must be the same one that was present in 
the identity server URL.

At some point I'll clean both the LID and TypeKey proxies up and 
generalise them so that anyone can run one on their own server. In fact, 
given the similarities between the two I may even create a generic 
OpenID proxy library which exposes an interface like ::Server but allows 
the caller to plug in callbacks for handling the redirect URL generation 
and stuff.

In the long run I hope TypeKey itself will have an OpenID ID Server 
interface so that this proxying nonsense won't be necessary. It could be 
implemented similarly, used like this:
     <link rel="openid.server"
           href="https://openid.typekey.com/username" />

...and also provide some kind of nice short Identity URL for users which 
advertises that ID server so that people who don't have their own 
websites can use it. TypeKey already exposes profile data in FOAF form 
(though the autodiscovery URL on the profile page is wrong) so it 
wouldn't be a major deal. It should only be a couple of hours work at most.

If TypeKey were open source then I'd do it, but... :)

More information about the yadis mailing list