Comparison

mod_openid/README.markdown @ 1803:4d73a1a6ba68

Convert all wiki pages to Markdown
author Kim Alvefur <zash@zash.se>
date Fri, 28 Aug 2015 18:03:58 +0200
parent 1782:mod_openid/README.wiki@29f3d6b7ad16
child 1885:b42eb10dc7d2
comparison
equal deleted inserted replaced
1802:0ab737feada6 1803:4d73a1a6ba68
1 ---
2 labels:
3 - 'Stage-Alpha'
4 summary: Enables Prosody to act as an OpenID provider
5 ...
6
7 Introduction
8 ============
9
10 [OpenID](http://openid.net/) is an decentralized authentication
11 mechanism for the Web. mod\_openid turns Prosody into an OpenID
12 *provider*, allowing users to use their Prosody credentials to
13 authenticate with various third party websites.
14
15 Caveats
16 =======
17
18 mod\_openid can best be described as a **proof-of-concept**, it has
19 known deficiencies and should **not** be used in the wild as a
20 legitimate OpenID provider. mod\_openid was developed using the Prosody
21 0.4.x series, it has not been tested with the 0.5.x or later series.
22
23 Details
24 =======
25
26 OpenID works on the basis of a user proving to a third-party they wish
27 to authenticate with, an OpenID *relaying party*, that they have claim
28 or ownership over a URL, known as an OpenID *identifier*. mod\_openid
29 uses Prosody's built in HTTP server to provide every user with an OpenID
30 identifier of the form `http://host.domain.tld[:port]/openid/user`,
31 which would be the OpenID identifier of the user with a Jabber ID of
32 `user@host.domain.tld`.
33
34 Usage
35 =====
36
37 Simply add "mod\_openid" to your modules\_enabled list. You may then use
38 the OpenID identifier form as described above as your OpenID identifier.
39 The port Prosody's HTTP server will listen on is currently set as 5280,
40 meaning the full OpenID identifier of the user `romeo@montague.lit`
41 would be `http://montague.lit:5280/openid/romeo`.
42
43 Configuration
44 =============
45
46 mod\_openid has no configuration options as of this time.
47
48 TODO
49 ====
50
51 The following is a list of the pending tasks which would have to be done
52 to make mod\_openid fully featured. They are generally ranked in order
53 of most importance with an estimated degree of difficulty.
54
55 1. Support Prosody 0.6.x series
56 (<font color='blue'><i>Medium</i></font>)
57 2. Refactor code (<font color='blue'><i>Medium</i></font>)
58 - The code is pretty messy at the moment, it should be refactored
59 to be more easily understood.
60
61 3. Disable use of "user@domain" OpenID identifier form
62 (<font color='green'><i>Easy</i></font>)
63 - This is a vestigial feature from the early design, allowing
64 explicit specification of the JID. However the JID can be
65 inferred from the simpler OpenID identifier form.
66
67 4. Use a cryptographically secure Pseudo Random Number Generator (PRNG)
68 (<font color='blue'><i>Medium</i></font>)
69 - This would likely be accomplished using luacrypto which provides
70 a Lua binding to the OpenSSL PRNG.
71
72 5. Make sure OpenID key-value pairs get signed in the right order
73 (<font color='red'><i>Hard</i></font>)
74 - It is important that the OpenID key-value responses be signed in
75 the proper order so that the signature can be properly verified
76 by the receiving party. This may be complicated by the fact that
77 the iterative ordering of keys in a Lua table is not guaranteed
78 for non-integer keys.
79
80 6. Do an actual match on the OpenID realm
81 (<font color='blue'><i>Medium</i></font>)
82 - The code currently always returns true for matches against an
83 OpenID realm, posing a security risk.
84
85 7. Don't use plain text authentication over HTTP
86 (<font color='red'><i>Hard</i></font>)
87 - This would require some Javascript to perform a digest.
88
89 8. Return meaningful error responses
90 (<font color='blue'><i>Medium</i></font>)
91 - Most error responses are an HTTP 404 File Not Found, obviously
92 something more meaningful could be returned.
93
94 9. Enable Association (<font color='red'><i>Hard</i></font>)
95 - Association is a feature of the OpenID specification which
96 reduces the number of round-trips needed to perform
97 authentication.
98
99 10. Support HTTPS (<font color='blue'><i>Medium</i></font>)
100 - With option to only allow authentication through HTTPS
101
102 11. Enable OpenID 1.1 compatibility
103 (<font color='blue'><i>Medium</i></font>)
104 - mod\_openid is designed from the OpenID 2.0 specification, which
105 has an OpenID 1.1 compatibility mode.
106
107 12. Check specification compliance
108 (<font color='blue'><i>Medium</i></font>)
109 - Walk through the code and make sure it complies with the OpenID
110 specification. Comment code as necessary with the relevant
111 sections in the specification.
112
113 Once all these steps are done, mod\_openid could be considered to have
114 reached "beta" status and ready to real world use. The following are
115 features that would be nice to have in a stable release:
116
117 1. Allow users to always trust realms
118 (<font color='red'><i>Hard</i></font>)
119 2. Allow users to remain logged in with a cookie
120 (<font color='red'><i>Hard</i></font>)
121 3. Enable simple registration using a user's vCard
122 (<font color='blue'><i>Medium</i></font>)
123 4. More useful user identity page
124 (<font color='red'><i>Hard</i></font>)
125 - Allow users to alter what realms they trust and what simple
126 registration information gets sent to relaying parties by
127 default.
128
129 5. OpenID Bot (<font color='red'><i>Hard</i></font>)
130 - Offers all functionality of the user identity page management
131
132 6. Better designed pages (<font color='green'>Easy</font>)
133 - Use semantic XHTML and CSS to allow for custom styling.
134 - Use the Prosody favicon.
135
136 Useful Links
137 ============
138
139 - [OpenID Specifications](http://openid.net/developers/specs/)
140 - [OpenID on Wikipedia](http://en.wikipedia.org/wiki/OpenID)