OpenID to TypeKey Proxy

Brad Fitzpatrick brad at danga.com
Fri May 27 08:43:16 PDT 2005 

Use Authen::TypeKey from CPAN and open source the proxy!

- Brad


On Fri, 27 May 2005, Martin Atkins wrote:

> With yesterday's LID proxy working, it didn't take much to turn it into
> a TypeKey proxy. With this TypeKey users can use it to assert OpenID
> Identities.
>
> You just need to add this to the URL you want to use as an identity:
>      <link rel="openid.server"
>            href="http://goathack.livejournal.org:9016/tkoid/username" />
>
> ...where "username" is your TypeKey login name.
>
> If you then log in to an OpenID login box it'll send you off to TypeKey
> to log in. When it gets back a correct signature (for the right
> username!) from TypeKey it'll make one of its own and send it back to
> the OpenID consumer.
>
> Note that the flaws that initially befell my LID proxy don't apply here
> because they were related to an untrustworthy LID server. Since you
> trust TypeKey (otherwise why are you using it?) these issues do not
> apply here.
>
> Nonetheless, all of checks from the LID proxy are still there, so if
> TypeKey does start lying about the return URL or identity logins will fail.
>
> The only trust hole left, then, is whether you trust me! As before, I
> suggest that for now people only use this on really stupid test URLs
> that they don't care about, as it might well have bugs.
>
> The source code to this one isn't available since part of it is based
> loosely on the TypeKey verification code from MovableType and I'm not
> allowed to distribute that. Other than the verification stuff, it's
> largely the same as the LID proxy, though with the extra check that the
> username returned from TypeKey must be the same one that was present in
> the identity server URL.
>
> At some point I'll clean both the LID and TypeKey proxies up and
> generalise them so that anyone can run one on their own server. In fact,
> given the similarities between the two I may even create a generic
> OpenID proxy library which exposes an interface like ::Server but allows
> the caller to plug in callbacks for handling the redirect URL generation
> and stuff.
>
> In the long run I hope TypeKey itself will have an OpenID ID Server
> interface so that this proxying nonsense won't be necessary. It could be
> implemented similarly, used like this:
>      <link rel="openid.server"
>            href="https://openid.typekey.com/username" />
>
> ...and also provide some kind of nice short Identity URL for users which
> advertises that ID server so that people who don't have their own
> websites can use it. TypeKey already exposes profile data in FOAF form
> (though the autodiscovery URL on the profile page is wrong) so it
> wouldn't be a major deal. It should only be a couple of hours work at most.
>
> If TypeKey were open source then I'd do it, but... :)
>
> _______________________________________________
> yadis mailing list
> yadis at lists.danga.com
> http://lists.danga.com/mailman/listinfo/yadis
>
>

More information about the yadis mailing list