Setting up OpenId

There are less than a dozen technologies on the Internet that I would consider truly critical to organizing on the Internet, and one of them is a distributed authentication system. OpenID is the most promising implementation.

The OpenID short description is:

OpenID is a URL based identity system. An OpenID identity is simply a URL, and all the OpenID specification does is provide a way to securely prove that you own that URL.

Unlike most identity systems, OpenID is completely decentralized. The end-user may choose whichever server they are most comfortable with, and may even run their own if they choose.

Normally, everytime we create a new web site, we have to build a authentication system or use whatever authentication system comes with the development platform we are building. If I install Drupal, then we use the Drupal users table and we have to go through the process of creating usernames and passwords for people who want to login to the site.

If we build custom databases, we have to write our own system for storing usernames and passwords.

The result is that everyone has a million usernames and passwords and most of them have been communicated over insecure email.

Yuck.

With OpenID - we can create a single web-based authentication system that can be shared by any web application we create. What’s even better: by adhering to the OpenID standards, our web applications can communicate with other OpenID servers, and other OpenID web applications can communicate withour OpenID server.

So - my goal here was to setup an OpenID server for May First/People Link that used our existing database of user accounts as the user/database store. With this in place, any web application in existence now that support OpenID (like LiveJournal) will allow users to login with their May First/People Link username and password.

Here are my experiences in setting up an OpenID server that would allow May First/People Link users to login to any OpenID enabled client using their existing user account login and password.

Before beginning - a note on Open ID URLs:

Your OpenID identity is written as an URL. The exact format of the URL is up to the person who sets up the OpenID server.

For example, it is often written as:

http://username.domain.org

But it could just as easily be written as:

http://domain.org/username

Or any variation.

Regardless of how it is written, the URL must display a valid web page in which there is a header tag (invisible to the person browsing the web page) that contains:

<link rel="openid.server" href="https://members.mayfirst.org/openid/server.php" />

The href part refers to the server address that will authenticate the user.

In other words, the server software to do the authentication is not part of your identity URL. Instead, your identity URL refers to a web page that contains the URL for the server software that will authenticate you.

So… I found it quite easy to create a simple web site that responds to:

http://id.mayfirst.org/any-username-you-want

But much harder to create a simple web site that responds to:

http://any-username-you-want.mayfirst.org

which influenced my decision to use the OpenID URL format of:

http://id.mayfirst.org/username

This might be a bad idea, maybe it’s a good idea. Not sure.

Anyway… here are the steps I took:

• Setup up id.mayfirst.org web site (on harry.mayfirst.org, but it could really go anywhere).

• Installed the Jan Rain libraries with: pear install http://www.openidenabled.com/resources/downloads/php-openid/pear/Auth_OpenID-1.2.2.tgz

following the instructions here: http://www.openidenabled.com/openid/libraries/php

That step install the php Pear libraries in /usr/share/php.

Next I downloaded the same thing and unzipped it.

It contains sample scripts for setting up a server.

I modified the server files so that they would authenticate against our user accounts database.

Then I ran the tests here:

http://www.openidenabled.com/resources/openid-test/checkup

It was a little confusing because some tests require you to be logged in and some require you to be logged out, but once I figured that out all of the tests passed for us.

So - if you want to test it yourself - find a web site that supports openid - and try it out.

Your openid URL is:

http://id.mayfirst.org/username

Replace username with your real username and it should work.

Note: I’m not publicizing this to our members because I’d like us to test it and make sure that the URL scheme is the right one. Please give feedback!