Unobtrusive OpenID
I’ve implemented a small amount of glue code that calls out to the JanRain Python OpenID library. Unlike most other OpenID enabled consumers, I’ve made a few simplifying assumptions, if anybody sees something I missed, please leave me a comment.
My assumptions are that if your website is OpenID enabled, (1) you want to authenticate, and (2) you don’t want anybody else to be able to “spoof” your ID. With these assumptions, I can eliminate the need for anybody to “login” to my site. People simply enter their comments normally, and when they press “Submit”, Yadis autodiscovery is performed.
- If OpenID is not enabled, then the submit proceeds normally.
- If OpenID is enabled, and you are logged in and accept my site’s trust_root, then again, then you should see no visible change beyond a slight delay.
- Only if OpenID is enabled and you are either not logged in to your site or you haven’t indicated that you trust my site do you see any extra interaction.
Additionally, my site makes no use of cookies or JavaScript. Instead, I employ URL rewriting techniques to achieve the effect of a session. Of course, your OpenID provider may require cookies, but that is entirely between you and that provider.
Finally, I haven’t integrated this with my Spam avoidance techniques - with two minor exceptions. If you authenticate, I put the address of your OpenID provider in the title of the link instead of your IP addresses. Additionally, if you authenticate, I never put in a rel="nofollow". Of course, all this is subject to change at any moment.
Curious to see what happens when I log-in to OpenID with my iname (=rod.begbie) instead of a URL...
Posted by Rod Begbie at
Not sure if my previous attempt to post using an iname (=rod.begbie) as my OpenID failed silently, or worked silently! Trying again with my regular URL OpenID.
One thought: should the OpenID check happen on Preview rather than Submit?
Posted by Rod Begbie atNice implementation! How hard was it to get the JanRain library to pass data in the URL instead of using a session?
Posted by Simon Willison at
Sam’s implementation passes association data in the URL rather than using sessions. I need to do that here. -->...
Excerpt from Simon Willison's Weblog at
Curious to see what happens when I log-in to OpenID with my iname (=rod.begbie) instead of a URL...
Looks like it half worked. Better clearly would have been to either completely work or completely not work.
Not sure if my previous attempt to post using an iname (=rod.begbie) as my OpenID failed silently, or worked silently!
HTTP caching strikes again. I take great pains to clear the cache on the server side before returning back to you, but you may have other caches involved.
One thought: should the OpenID check happen on Preview rather than Submit?
Lots of reasons why I didn’t go that way. I get lots of spammers that get blocked at preview. Non-spammers may preview multiple times before submitting. Finally, if I validate identity before submit, that opens up a window for somebody else to spoof your id.
How hard was it to get the JanRain library to pass data in the URL instead of using a session?
You still get a session, but that can be placed into a dict, which you can then pickle and store wherever you like. Simply append the key to your portion of the returnto uri and Bob’s your uncle.
That didn’t seem to have worked. My URL has the autodiscovery tags for server and delegate pointing towards my myopenid account, and I’ve successfully authed on Simon Willison’s weblog using the same URI. If this is a bug, I hope this helps in finding it.
(PS: I’m trying to submit this with a http:// -less URL. If this works and the previous post didn’t, you know why.)
Posted by Jesper atYep - that seems to be it. URLs that are just hostnames (without http:// ) work, full URLs don’t. Sorry for posting three consecutive comments.
Posted by Jesper at
It works as described, although there was a hiccup logging in with Verisign PIP (my OpenID provider).
I found the expression “if your website is OpenID enabled” a little confusing at first. Then I realised you mean that the website is either an OpenID provider or delegates that elsewhere.
Posted by Michael Strasser atSorry to clog up your comments, but I’m trying with a proper URI, not just my domain name.
Posted by Michael Strasser at
It would be nice if the comments got your name from the identity provider, if possible, too.
Posted by Andrew Sidwell at
I got the following error on authenticating with my openid server. After giving your site access forever, I redirected to a page with the URL [link]
with the following error:
CGI Failure
traceback:Traceback (most recent call last):
File “gateway.cgi”, line 45, in ?
identity.validate(dict(cgi.parse_qsl(os.environ['QUERY_STRING'])))
File “/home/rubys/mombo/identity.py”, line 45, in validate
writeComment(session['parent'],title,body,decache=True)
File “/home/rubys/mombo/post.py”, line 230, in writeComment
raise message
POST limit exceeded
I am using delegated OpenId from my personal domain to myopenid.
Posted by Bruce Boughton atUsing python-openid-combo-20061208:
from openid.store import filestore
from openid.consumer import consumer
store = filestore.FileOpenIDStore('.')
session = {}
server = consumer.Consumer(session, store)
request = server.begin('http://paul.querna.org/')
Produces:
Traceback (most recent call last):
File "paulquerna.py", line 12, in ?
request = server.begin('http://paul.querna.org/')
File "openid/consumer/consumer.py", line 295, in begin
yadis.discover.DiscoveryFailure: Error fetching XRDS document
Posted by Sam Ruby
at
The early demos of OpenID worked in a similar fashion, with the OpenID auth being a one-shot authentication mechanism for a particular transaction rather than actually creating a login session. I think this is a better approach for things like weblogs where the interactions tend to be very disjointed and impromptu.
Is the blog software here home-rolled or is it some open source thing? If the latter, please contribute your OpenID implementation to the project in question! :)
Posted by Martin Atkins atSorry to clog up your comments
OpenID testing is definitely on-topic for this post
testing without http://
As OpenID seems to have created an expectation that URI schemes are optional, I’ve added code to fixup non-URIs that may be entered into the input field labeled URI.
Is the blog software here home-rolled or is it some open source thing?
Home-rolled, but published.
Posted by Sam Ruby atAnother test (I’m oldschool and my OpenID is from Typekey, and no-one told me about delegation until recently).
Posted by James at
I’ve seen this posting, set up a new pip account with Verisign and this test comment (where I’m not sure if I am doing it correctly: I’m not sure if the uri should be the Verisign identity url “culverden.pip.verisignlabs.com” or the uri “http://culverden.org.uk” of the site I registered with Verisign on that account) is part of my learning process.
Posted by Dave Saunders at
Chris: in your case, OpenID Delegation would work if you were to insert a
<html> tag at the top of your page.
Posted by Sam Ruby at
The
html element start tag is optional in HTML. Relying on it seems wrong.
Posted by Anne van Kesteren at
The
htmlelement start tag is optional in HTML. Relying on it seems wrong.
You might consider it wrong, but that’s what the Python JanRain OpenID library does.
Posted by Sam Ruby atIt’s OpenID’s week. I just posted a couple of days ago a CherryPy 3 tool using the same library:
Posted by Sylvain Hellegouarch atThis is a test to see if my IRI will work. I’m running a slightly modified version of phpMyID and it seemed to work ok when I tested the punycode URI with the OpenID Page Test at openidenabled.com (they don’t seem to support IRIs).
I’m also curious to know whether you could obtain my name and email address automatically from my server if I had left those fields blank? And what if the values were not blank, but different - which would take precedence?
Posted by James Holderness atI’ve been fascinated at some of the transparent OpenID support that’s being deployed. SeriousEats.com’s internal login system is OpenID-powered (though not really exposed yet) and uses email address for login; I think the eventual goal is to move to something like what you’ve done here.
Someday this will all be so easy. ;)
Posted by Anil atWorks great when your URI is your OpenID identifier too. I guess I’ll try with my i-name for now. But what happens if you have a typo in your URI?
Posted by John Panzer at
[from mike61079] Unobtrusive OpenID
Sam’s implementation passes association data in the URL rather than using sessions....Excerpt from del.icio.us/network/cooldmz at
OpenID for non-SuperUsers
Based on the results of my Unobtrusive OpenID post, it is quite evident that there is a lot of partial knowledge about OpenID out there. While my knowledge on the subject is far from complete, this post is my attempt to share what I have... [more]Trackback from Sam Ruby at
I’m one of the many that didn’t entirely catch on (about the home page URIs) at first. Thanks for the clarification.
Posted by Dave Saunders at
Sam does OpenID
Sam Ruby’s recent interest in OpenID might be the best thing that could happen. With the size of his audience (2234 subscribers on Bloglines only), his deep understanding of how to spread stuff like this and his desire to hack it is bound to...Excerpt from protocol7 at
Cool. This is pretty much exactly how I’ve been implementing OpenID blog stuffs.
Posted by Bob Aman at
Well, that’s weird. It didn’t work the first time around, but seems to have worked just fine the second time...
Posted by Bob Aman at
Works like a charm, though doesn’t seem to care about the name/e-mail available via OpenID simple registration.
Posted by Dmitry Shechtman at
OpenID Fetish
I’ve been quiet lately because all my spare time got sucked into OpenID. I had intended to add OpenID support to ongoing myidspace project but Sam Ruby’s tinkering with OpenID got me to change my priorities. Monkey see, monkey do. What people...Excerpt from Don Park's Daily Habit at
I got similar CGI-failure using MyLID from my WikiLog header [link] ....
traceback:Traceback (most recent call last):
File “gateway.cgi”, line 45, in ?
identity.validate(dict(cgi.parse_qsl(os.environ['QUERY_STRING'])))
File “/home/rubys/mombo/identity.py”, line 53, in validate
writeComment(session['parent'],title,body,decache=True)
File “/home/rubys/mombo/post.py”, line 230, in writeComment
raise message
POST limit exceeded
z2007-01-07-RecentOpenIdAction
DaveWiner "got":[link] an OpenID and put the URI-s in his WebLog header. SixApart’s VOX "supports":[link] it (in addition to LiveJournal, where it...Excerpt from WebSeitz/wikilog at
OK, I researched into the problem Bill encountered. “POST limit exceeded” is my generic message for spammers. Originally designed as a throttle for three posts in a row, with a few adjustments; it has evolved into a “three strike” policy where number of recent posts is only one factor.
In this case, the message that Bill was trying to post was:
Testing with LID URI in header of my WikiLog. http://webseitz.fluxent.com/wiki
Here’s the strike count:
- Posting a raw URI, not as a link, within the post counts as a strike.
- Posting the same URI within the post as was used to identify the author counts as a second strike.
- Not having either posted to my weblog in the past 90 days or having visited this weblog from that IP address with the past seven caused Bill to be identified as a stranger and got this post an additional third strike.
At the present time, I doubt that there are any spammers that authenticate with OpenID, but I have no doubt that that will change over time. Given that the above post just barely met the threshold and wouldn’t be considered typical for comments on other weblog entries, I’ve decided to make only the most modest of adjustments to my algorithm to accommodate this:
Posts which are authenticated with openid are now given one additional strike.
I invite Bill to comment back to test this. Note: as more than an hour has elapsed, if he does post back from the same IP address, he will no longer be considered a stranger.
Posted by Sam Ruby atThanks for the intro to OpenID, I first heard about it from a Shopify developer as they were considering it for integration into their product.
]{evin
Posted by Kevin Driedger atUp and coming: OpenID
Occasionally I’ve gotten some comments about my use of LiveJournal for my weblog. I like LiveJournal for a lot of reasons, and the main reason people seem to be opposed to it is that they don’t want to create a LiveJournal account just to be able to...Excerpt from Chris Hanson at
Sam, my own openid client gets just openid.mode=id_res and open.user_setup_url back from Vox even when I am signed-in at Vox which means Vox refused the immediate mode in favor of explicit sign-in. Are you doing any special to get the successful checkid_immediate call? Rather puzzled here.
Posted by Don Park at
Nevermind. It was the browser cookies from Vox which isn’t present when running from the my java-based server test suite. Egads. This is not going to be pretty... [Don mutters as he descends into the darkness]
Posted by Don Park at
The Quest for Online Identity
I wonder if I’m the only one who’s a bit suspicious of OpenID? But then, I must admit, I think any ‘online identity systems’ is a terrible idea. Ever since analyzing Passport I’ve come to suspect that any formalized, distributed identity system...Excerpt from discipline and punish at
I tried again earlier today (from previous IP, not this one). Didn’t get the same CGI error as before. But did end up with an empty “edit your comment” form (empty other than having “anonymous” in the name).
And I don’t see the comment above.
Therefore something didn’t work.
Posted by Bill Seitz atNow it did work.
(Earlier attempts were from home, Mac/Firefox. This successful attempt was from office, WinXP/Firefox. Don’t know whether that matters...)
Posted by Bill Seitz atOpenID for non-SuperUsers
OpenID for non-SuperUsers: Based on the results of my Unobtrusive OpenID post, it is quite evident that there is a lot of partial knowledge about OpenID out there. While my knowledge on the subject is far from complete, this post is my...Excerpt from Spoken at
Identity by URI
There have been some great projects lately about moving information control into the hands of users such as Move My Data. In that vein there is the idea of profile data using microformats. For example you have a list of your friends marked up on...Excerpt from ebyblog at
Great post - if OpenID “just worked” everywhere I think adoption/acceptance would be much improved.
Posted by Dave Holland at
Unobtrusive wpopenid
I’ve been meaning to install Alan Castonguay’s wpopenid plugin to enable OpenID authenticated comments for some time now. I finally got around to it tonight, and was overall pleased with it, despite a few minor bugs. More importantly...Excerpt from willnorris.com at
Now Supporting OpenID For Comments
This blog now supports OpenID for comments. I got a favorable response and that was enough for me to use it here. I am using the wpopenid fork created by Will Norris. The plugin is extremely easy to use, but I hope that OpenID is tightly integrated...Excerpt from iface thoughts at
Unobtrusive wpopenid
I’ve been meaning to install Alan Castonguay’s wpopenid wordpress plugin to enable OpenID authenticated comments for some time now. I finally got around to it tonight, and was overall pleased with it, despite a few minor bugs. More importantly...Excerpt from willnorris.com at
Just wanted to test my OpenID as I had “Server denied check_authentication.” somewhere else ...
Posted by Johannes Athmer at
Gábor: Mai Newtech Meetup utani beszelgeteshez: blogokhoz tokeletes OpenID logika. http://tinyurl.com/ysorby
Gábor: Mai Newtech Meetup utani beszelgeteshez: blogokhoz tokeletes OpenID logika. [link]...Excerpt from Turulcsirip at
TEST? Sorry but I don’t think this wil work since I can’t get typekey to work as my openid
Posted by logicnazi at
Late to the game... would love to get this wired into twiki for comments, but not for ‘authenticating ’ twiki users. Did I miss the code snippit?
Posted by John at
John: Go to the top of this post. Search for the word “code”. :-)
It’s Python, not Perl, but the concepts might be helpful.
Posted by Sam Ruby atawesome. the simplifying assumptions make sense, and it’s way more elegant than separate name, url and openid boxes.
Posted by Ryan at
This sounds like a very nift idea.
A screencast showing how this works rather than having an ever growing list of comments might make it seem more immediately appealing though.
Posted by Chris Adams atOpenID para torpes
Cómo utilizar OpenID para gestionar identidades...Excerpt from El agente secreto at
Looks interesting. I’m playing with OpenId and wanted to see how well this worked.
Posted by Steve Ellwood at
OpenId in really good movement for any blog system. I do not know about this Openid system before I read your post, many thanks for your tip about open id.
Goonie
Posted by babyfirstyear atI don’t really understand all I’ve read about openID so maybe actually using it will fill in some gaps? In the URI field I put my openID URI instead of my usual personal domain name. I guess in a minute or two I’ll see what the big deal is yah?
Posted by EdB at
That wasn’t very exciting. I had to tell myopenid that yeah it’s me in order to post the test comment. I’m going to have to play with this on a couple of domains I own, but so far I don’t understand why I would want an OpenID.
Thanks though!
Posted by EdB atNow that’s spiffy. I want to implement it in my commenting system. Darn it, I have enough coding projects going on right now!
Posted by Keith at
Test comment.
Oh, dear. That doesn’t look good. Please do tell me what you were testing?
Posted by Sam Ruby at2.5
Upgraded to WordPress 2.5. My OpenID plugin may be broken. Investigating. Update: I’ve been saddened by the state of OpenID integration in WordPress — none — for quite some time. 2.3 and below just didn’t offer enough logic to be able to...Excerpt from Waffle at
Am I just supposed to know that the URI is where my OpenID goes? I’d normally put my site there, but I haven’t set up my site as an OpenID delegate yet.
Posted by AdamD at
This is the nicest guide I’ve seen to the OpenID process. Special thanks for pointing readers to openidenabled.com .
Posted by Colin at
test comment
Posted by Sam Ruby at