annotate mod_openid.wiki @ 461:b7ea7700c6d9

mod_s2s_auth_monkeysphere: Add s2sauth tag
author Kim Alvefur <zash@zash.se>
date Tue, 20 May 2014 23:52:29 +0200
parents 958865cc13b3
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
1 #summary Enables Prosody to act as an OpenID provider
26
6f018f411fa5 Alpha -> Stage-Alpha
MWild1
parents: 25
diff changeset
2 #labels Stage-Alpha
4
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
3 = Introduction =
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
4
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
5 [http://openid.net/ OpenID] is an decentralized authentication mechanism for the Web. mod_openid turns Prosody into an OpenID _provider_, allowing users to use their Prosody credentials to authenticate with various third party websites.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
6
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
7 = Caveats =
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
8
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
9 mod_openid can best be described as a *proof-of-concept*, it has known deficiencies and should *not* be used in the wild as a legitimate OpenID provider. mod_openid was developed using the Prosody 0.4.x series, it has not been tested with the 0.5.x or later series.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
10
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
11 = Details =
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
12
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
13 OpenID works on the basis of a user proving to a third-party they wish to authenticate with, an OpenID _relaying party_, that they have claim or ownership over a URL, known as an OpenID _identifier_. mod_openid uses Prosody's built in HTTP server to provide every user with an OpenID identifier of the form `http://host.domain.tld[:port]/openid/user`, which would be the OpenID identifier of the user with a Jabber ID of `user@host.domain.tld`.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
14
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
15 = Usage =
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
16
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
17 Simply add "mod_openid" to your modules_enabled list. You may then use the OpenID identifier form as described above as your OpenID identifier. The port Prosody's HTTP server will listen on is currently set as 5280, meaning the full OpenID identifier of the user `romeo@montague.lit` would be `http://montague.lit:5280/openid/romeo`.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
18
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
19 = Configuration =
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
20
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
21 mod_openid has no configuration options as of this time.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
22
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
23 = TODO =
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
24
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
25 The following is a list of the pending tasks which would have to be done to make mod_openid fully featured. They are generally ranked in order of most importance with an estimated degree of difficulty.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
26
107
958865cc13b3 Edited wiki page through web user interface.
dbb.google@liqd.org
parents: 26
diff changeset
27 # Support Prosody 0.6.x series (<font color="blue">_Medium_</font>)
4
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
28 # Refactor code (<font color="blue">_Medium_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
29 * The code is pretty messy at the moment, it should be refactored to be more easily understood.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
30 # Disable use of "user@domain" OpenID identifier form (<font color="green">_Easy_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
31 * This is a vestigial feature from the early design, allowing explicit specification of the JID. However the JID can be inferred from the simpler OpenID identifier form.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
32 # Use a cryptographically secure Pseudo Random Number Generator (PRNG) (<font color="blue">_Medium_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
33 * This would likely be accomplished using luacrypto which provides a Lua binding to the OpenSSL PRNG.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
34 # Make sure OpenID key-value pairs get signed in the right order (<font color="red">_Hard_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
35 * It is important that the OpenID key-value responses be signed in the proper order so that the signature can be properly verified by the receiving party. This may be complicated by the fact that the iterative ordering of keys in a Lua table is not guaranteed for non-integer keys.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
36 # Do an actual match on the OpenID realm (<font color="blue">_Medium_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
37 * The code currently always returns true for matches against an OpenID realm, posing a security risk.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
38 # Don't use plain text authentication over HTTP (<font color="red">_Hard_</font>)
6
f37413020065 Get rid of false wiki link for javascript.
dbb.google@liqd.org
parents: 5
diff changeset
39 * This would require some Javascript to perform a digest.
4
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
40 # Return meaningful error responses (<font color="blue">_Medium_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
41 * Most error responses are an HTTP 404 File Not Found, obviously something more meaningful could be returned.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
42 # Enable Association (<font color="red">_Hard_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
43 * Association is a feature of the OpenID specification which reduces the number of round-trips needed to perform authentication.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
44 # Support HTTPS (<font color="blue">_Medium_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
45 * With option to only allow authentication through HTTPS
5
64ea417e219d Added some useful links.
dbb.google@liqd.org
parents: 4
diff changeset
46 # Enable OpenID 1.1 compatibility (<font color="blue">_Medium_</font>)
64ea417e219d Added some useful links.
dbb.google@liqd.org
parents: 4
diff changeset
47 * mod_openid is designed from the OpenID 2.0 specification, which has an OpenID 1.1 compatibility mode.
4
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
48 # Check specification compliance (<font color="blue">_Medium_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
49 * Walk through the code and make sure it complies with the OpenID specification. Comment code as necessary with the relevant sections in the specification.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
50
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
51 Once all these steps are done, mod_openid could be considered to have reached "beta" status and ready to real world use. The following are features that would be nice to have in a stable release:
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
52
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
53 # Allow users to always trust realms (<font color="red">_Hard_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
54 # Allow users to remain logged in with a cookie (<font color="red">_Hard_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
55 # Enable simple registration using a user's vCard (<font color="blue">_Medium_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
56 # More useful user identity page (<font color="red">_Hard_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
57 * Allow users to alter what realms they trust and what simple registration information gets sent to relaying parties by default.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
58 # OpenID Bot (<font color="red">_Hard_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
59 * Offers all functionality of the user identity page management
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
60 # Better designed pages (<font color="green">Easy</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
61 * Use semantic XHTML and CSS to allow for custom styling.
5
64ea417e219d Added some useful links.
dbb.google@liqd.org
parents: 4
diff changeset
62 * Use the Prosody favicon.
64ea417e219d Added some useful links.
dbb.google@liqd.org
parents: 4
diff changeset
63
64ea417e219d Added some useful links.
dbb.google@liqd.org
parents: 4
diff changeset
64 = Useful Links =
64ea417e219d Added some useful links.
dbb.google@liqd.org
parents: 4
diff changeset
65 * [http://openid.net/developers/specs/ OpenID Specifications]
64ea417e219d Added some useful links.
dbb.google@liqd.org
parents: 4
diff changeset
66 * [http://en.wikipedia.org/wiki/OpenID OpenID on Wikipedia]