Mercurial > prosody-modules
comparison mod_openid/README.markdown @ 1803:4d73a1a6ba68
Convert all wiki pages to Markdown
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 28 Aug 2015 18:03:58 +0200 |
parents | mod_openid/README.wiki@29f3d6b7ad16 |
children | b42eb10dc7d2 |
comparison
equal
deleted
inserted
replaced
1802:0ab737feada6 | 1803:4d73a1a6ba68 |
---|---|
1 --- | |
2 labels: | |
3 - 'Stage-Alpha' | |
4 summary: Enables Prosody to act as an OpenID provider | |
5 ... | |
6 | |
7 Introduction | |
8 ============ | |
9 | |
10 [OpenID](http://openid.net/) is an decentralized authentication | |
11 mechanism for the Web. mod\_openid turns Prosody into an OpenID | |
12 *provider*, allowing users to use their Prosody credentials to | |
13 authenticate with various third party websites. | |
14 | |
15 Caveats | |
16 ======= | |
17 | |
18 mod\_openid can best be described as a **proof-of-concept**, it has | |
19 known deficiencies and should **not** be used in the wild as a | |
20 legitimate OpenID provider. mod\_openid was developed using the Prosody | |
21 0.4.x series, it has not been tested with the 0.5.x or later series. | |
22 | |
23 Details | |
24 ======= | |
25 | |
26 OpenID works on the basis of a user proving to a third-party they wish | |
27 to authenticate with, an OpenID *relaying party*, that they have claim | |
28 or ownership over a URL, known as an OpenID *identifier*. mod\_openid | |
29 uses Prosody's built in HTTP server to provide every user with an OpenID | |
30 identifier of the form `http://host.domain.tld[:port]/openid/user`, | |
31 which would be the OpenID identifier of the user with a Jabber ID of | |
32 `user@host.domain.tld`. | |
33 | |
34 Usage | |
35 ===== | |
36 | |
37 Simply add "mod\_openid" to your modules\_enabled list. You may then use | |
38 the OpenID identifier form as described above as your OpenID identifier. | |
39 The port Prosody's HTTP server will listen on is currently set as 5280, | |
40 meaning the full OpenID identifier of the user `romeo@montague.lit` | |
41 would be `http://montague.lit:5280/openid/romeo`. | |
42 | |
43 Configuration | |
44 ============= | |
45 | |
46 mod\_openid has no configuration options as of this time. | |
47 | |
48 TODO | |
49 ==== | |
50 | |
51 The following is a list of the pending tasks which would have to be done | |
52 to make mod\_openid fully featured. They are generally ranked in order | |
53 of most importance with an estimated degree of difficulty. | |
54 | |
55 1. Support Prosody 0.6.x series | |
56 (<font color='blue'><i>Medium</i></font>) | |
57 2. Refactor code (<font color='blue'><i>Medium</i></font>) | |
58 - The code is pretty messy at the moment, it should be refactored | |
59 to be more easily understood. | |
60 | |
61 3. Disable use of "user@domain" OpenID identifier form | |
62 (<font color='green'><i>Easy</i></font>) | |
63 - This is a vestigial feature from the early design, allowing | |
64 explicit specification of the JID. However the JID can be | |
65 inferred from the simpler OpenID identifier form. | |
66 | |
67 4. Use a cryptographically secure Pseudo Random Number Generator (PRNG) | |
68 (<font color='blue'><i>Medium</i></font>) | |
69 - This would likely be accomplished using luacrypto which provides | |
70 a Lua binding to the OpenSSL PRNG. | |
71 | |
72 5. Make sure OpenID key-value pairs get signed in the right order | |
73 (<font color='red'><i>Hard</i></font>) | |
74 - It is important that the OpenID key-value responses be signed in | |
75 the proper order so that the signature can be properly verified | |
76 by the receiving party. This may be complicated by the fact that | |
77 the iterative ordering of keys in a Lua table is not guaranteed | |
78 for non-integer keys. | |
79 | |
80 6. Do an actual match on the OpenID realm | |
81 (<font color='blue'><i>Medium</i></font>) | |
82 - The code currently always returns true for matches against an | |
83 OpenID realm, posing a security risk. | |
84 | |
85 7. Don't use plain text authentication over HTTP | |
86 (<font color='red'><i>Hard</i></font>) | |
87 - This would require some Javascript to perform a digest. | |
88 | |
89 8. Return meaningful error responses | |
90 (<font color='blue'><i>Medium</i></font>) | |
91 - Most error responses are an HTTP 404 File Not Found, obviously | |
92 something more meaningful could be returned. | |
93 | |
94 9. Enable Association (<font color='red'><i>Hard</i></font>) | |
95 - Association is a feature of the OpenID specification which | |
96 reduces the number of round-trips needed to perform | |
97 authentication. | |
98 | |
99 10. Support HTTPS (<font color='blue'><i>Medium</i></font>) | |
100 - With option to only allow authentication through HTTPS | |
101 | |
102 11. Enable OpenID 1.1 compatibility | |
103 (<font color='blue'><i>Medium</i></font>) | |
104 - mod\_openid is designed from the OpenID 2.0 specification, which | |
105 has an OpenID 1.1 compatibility mode. | |
106 | |
107 12. Check specification compliance | |
108 (<font color='blue'><i>Medium</i></font>) | |
109 - Walk through the code and make sure it complies with the OpenID | |
110 specification. Comment code as necessary with the relevant | |
111 sections in the specification. | |
112 | |
113 Once all these steps are done, mod\_openid could be considered to have | |
114 reached "beta" status and ready to real world use. The following are | |
115 features that would be nice to have in a stable release: | |
116 | |
117 1. Allow users to always trust realms | |
118 (<font color='red'><i>Hard</i></font>) | |
119 2. Allow users to remain logged in with a cookie | |
120 (<font color='red'><i>Hard</i></font>) | |
121 3. Enable simple registration using a user's vCard | |
122 (<font color='blue'><i>Medium</i></font>) | |
123 4. More useful user identity page | |
124 (<font color='red'><i>Hard</i></font>) | |
125 - Allow users to alter what realms they trust and what simple | |
126 registration information gets sent to relaying parties by | |
127 default. | |
128 | |
129 5. OpenID Bot (<font color='red'><i>Hard</i></font>) | |
130 - Offers all functionality of the user identity page management | |
131 | |
132 6. Better designed pages (<font color='green'>Easy</font>) | |
133 - Use semantic XHTML and CSS to allow for custom styling. | |
134 - Use the Prosody favicon. | |
135 | |
136 Useful Links | |
137 ============ | |
138 | |
139 - [OpenID Specifications](http://openid.net/developers/specs/) | |
140 - [OpenID on Wikipedia](http://en.wikipedia.org/wiki/OpenID) |