annotate mod_openid.wiki @ 4:d3140ba5f382

Created wiki page for mod_openid.
author dbb.google@liqd.org
date Sun, 13 Sep 2009 15:43:33 +0000
parents
children 64ea417e219d
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
1 #summary Enables Prosody to act as an OpenID provider
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
2 = Introduction =
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
3
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
4 [http://openid.net/ OpenID] is an decentralized authentication mechanism for the Web. mod_openid turns Prosody into an OpenID _provider_, allowing users to use their Prosody credentials to authenticate with various third party websites.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
5
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
6 = Caveats =
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
7
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
8 mod_openid can best be described as a *proof-of-concept*, it has known deficiencies and should *not* be used in the wild as a legitimate OpenID provider. mod_openid was developed using the Prosody 0.4.x series, it has not been tested with the 0.5.x or later series.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
9
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
10 = Details =
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
11
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
12 OpenID works on the basis of a user proving to a third-party they wish to authenticate with, an OpenID _relaying party_, that they have claim or ownership over a URL, known as an OpenID _identifier_. mod_openid uses Prosody's built in HTTP server to provide every user with an OpenID identifier of the form `http://host.domain.tld[:port]/openid/user`, which would be the OpenID identifier of the user with a Jabber ID of `user@host.domain.tld`.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
13
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
14 = Usage =
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
15
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
16 Simply add "mod_openid" to your modules_enabled list. You may then use the OpenID identifier form as described above as your OpenID identifier. The port Prosody's HTTP server will listen on is currently set as 5280, meaning the full OpenID identifier of the user `romeo@montague.lit` would be `http://montague.lit:5280/openid/romeo`.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
17
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
18 = Configuration =
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
19
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
20 mod_openid has no configuration options as of this time.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
21
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
22 = TODO =
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
23
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
24 The following is a list of the pending tasks which would have to be done to make mod_openid fully featured. They are generally ranked in order of most importance with an estimated degree of difficulty.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
25
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
26 # Support Prosody 0.5.x series (<font color="blue">_Medium_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
27 # Refactor code (<font color="blue">_Medium_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
28 * The code is pretty messy at the moment, it should be refactored to be more easily understood.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
29 # Disable use of "user@domain" OpenID identifier form (<font color="green">_Easy_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
30 * This is a vestigial feature from the early design, allowing explicit specification of the JID. However the JID can be inferred from the simpler OpenID identifier form.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
31 # Use a cryptographically secure Pseudo Random Number Generator (PRNG) (<font color="blue">_Medium_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
32 * This would likely be accomplished using luacrypto which provides a Lua binding to the OpenSSL PRNG.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
33 # Make sure OpenID key-value pairs get signed in the right order (<font color="red">_Hard_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
34 * It is important that the OpenID key-value responses be signed in the proper order so that the signature can be properly verified by the receiving party. This may be complicated by the fact that the iterative ordering of keys in a Lua table is not guaranteed for non-integer keys.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
35 # Do an actual match on the OpenID realm (<font color="blue">_Medium_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
36 * The code currently always returns true for matches against an OpenID realm, posing a security risk.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
37 # Don't use plain text authentication over HTTP (<font color="red">_Hard_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
38 * This would require some JavaScript to perform a digest.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
39 # Return meaningful error responses (<font color="blue">_Medium_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
40 * Most error responses are an HTTP 404 File Not Found, obviously something more meaningful could be returned.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
41 # Enable Association (<font color="red">_Hard_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
42 * Association is a feature of the OpenID specification which reduces the number of round-trips needed to perform authentication.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
43 # Support HTTPS (<font color="blue">_Medium_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
44 * With option to only allow authentication through HTTPS
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
45 # Check specification compliance (<font color="blue">_Medium_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
46 * Walk through the code and make sure it complies with the OpenID specification. Comment code as necessary with the relevant sections in the specification.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
47
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
48 Once all these steps are done, mod_openid could be considered to have reached "beta" status and ready to real world use. The following are features that would be nice to have in a stable release:
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
49
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
50 # Allow users to always trust realms (<font color="red">_Hard_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
51 # Allow users to remain logged in with a cookie (<font color="red">_Hard_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
52 # Enable simple registration using a user's vCard (<font color="blue">_Medium_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
53 # More useful user identity page (<font color="red">_Hard_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
54 * Allow users to alter what realms they trust and what simple registration information gets sent to relaying parties by default.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
55 # OpenID Bot (<font color="red">_Hard_</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
56 * Offers all functionality of the user identity page management
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
57 # Better designed pages (<font color="green">Easy</font>)
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
58 * Use semantic XHTML and CSS to allow for custom styling.
d3140ba5f382 Created wiki page for mod_openid.
dbb.google@liqd.org
parents:
diff changeset
59 * Use the Prosody favicon.