I’ve implemented a small amount of glue code that calls out to the JanRain Python OpenID library. Unlike most other OpenID enabled consumers, I’ve made a few simplifying assumptions, if anybody sees something I missed, please leave me a comment.
My assumptions are that if your website is OpenID enabled, (1) you want to authenticate, and (2) you don’t want anybody else to be able to “spoof” your ID. With these assumptions, I can eliminate the need for anybody to “login” to my site. People simply enter their comments normally, and when they press “Submit”, Yadis autodiscovery is performed.
If OpenID is not enabled, then the submit proceeds normally.
If OpenID is enabled, and you are logged in and accept my site’s trust_root, then again, then you should see no visible change beyond a slight delay.
Only if OpenID is enabled and you are either not logged in to your site or you haven’t indicated that you trust my site do you see any extra interaction.
Additionally, my site makes no use of cookies or JavaScript. Instead, I employ URL rewriting techniques to achieve the effect of a session. Of course, your OpenID provider may require cookies, but that is entirely between you and that provider.
Finally, I haven’t integrated this with my Spam avoidance techniques - with two minor exceptions. If you authenticate, I put the address of your OpenID provider in the title of the link instead of your IP addresses. Additionally, if you authenticate, I never put in a rel="nofollow". Of course, all this is subject to change at any moment.
Not sure if my previous attempt to post using an iname (=rod.begbie) as my OpenID failed silently, or worked silently! Trying again with my regular URL OpenID.
One thought: should the OpenID check happen on Preview rather than Submit?
Curious to see what happens when I log-in to OpenID with my iname (=rod.begbie) instead of a URL...
Looks like it half worked. Better clearly would have been to either completely work or completely not work.
Not sure if my previous attempt to post using an iname (=rod.begbie) as my OpenID failed silently, or worked silently!
HTTP caching strikes again. I take great pains to clear the cache on the server side before returning back to you, but you may have other caches involved.
One thought: should the OpenID check happen on Preview rather than Submit?
Lots of reasons why I didn’t go that way. I get lots of spammers that get blocked at preview. Non-spammers may preview multiple times before submitting. Finally, if I validate identity before submit, that opens up a window for somebody else to spoof your id.
How hard was it to get the JanRain library to pass data in the URL instead of using a session?
You still get a session, but that can be placed into a dict, which you can then pickle and store wherever you like. Simply append the key to your portion of the returnto uri and Bob’s your uncle.
That didn’t seem to have worked. My URL has the autodiscovery tags for server and delegate pointing towards my myopenid account, and I’ve successfully authed on Simon Willison’s weblog using the same URI. If this is a bug, I hope this helps in finding it.
(PS: I’m trying to submit this with a http:// -less URL. If this works and the previous post didn’t, you know why.)
It works as described, although there was a hiccup logging in with Verisign PIP (my OpenID provider).
I found the expression “if your website is OpenID enabled” a little confusing at first. Then I realised you mean that the website is either an OpenID provider or delegates that elsewhere.
I got the following error on authenticating with my openid server. After giving your site access forever, I redirected to a page with the URL [link]
with the following error:
CGI Failure
traceback:Traceback (most recent call last):
File “gateway.cgi”, line 45, in ?
identity.validate(dict(cgi.parse_qsl(os.environ['QUERY_STRING'])))
File “/home/rubys/mombo/identity.py”, line 45, in validate
writeComment(session['parent'],title,body,decache=True)
File “/home/rubys/mombo/post.py”, line 230, in writeComment
raise message
POST limit exceeded
I am using delegated OpenId from my personal domain to myopenid.
from openid.store import filestore
from openid.consumer import consumer
store = filestore.FileOpenIDStore('.')
session = {}
server = consumer.Consumer(session, store)
request = server.begin('http://paul.querna.org/')
Produces:
Traceback (most recent call last):
File "paulquerna.py", line 12, in ?
request = server.begin('http://paul.querna.org/')
File "openid/consumer/consumer.py", line 295, in begin
yadis.discover.DiscoveryFailure: Error fetching XRDS document
The early demos of OpenID worked in a similar fashion, with the OpenID auth being a one-shot authentication mechanism for a particular transaction rather than actually creating a login session. I think this is a better approach for things like weblogs where the interactions tend to be very disjointed and impromptu.
Is the blog software here home-rolled or is it some open source thing? If the latter, please contribute your OpenID implementation to the project in question! :)
OpenID testing is definitely on-topic for this post
testing without http://
As OpenID seems to have created an expectation that URI schemes are optional, I’ve added code to fixup non-URIs that may be entered into the input field labeled URI.
Is the blog software here home-rolled or is it some open source thing?
I’ve seen this posting, set up a new pip account with Verisign and this test comment (where I’m not sure if I am doing it correctly: I’m not sure if the uri should be the Verisign identity url “culverden.pip.verisignlabs.com” or the uri “http://culverden.org.uk” of the site I registered with Verisign on that account) is part of my learning process.
This is a test to see if my IRI will work. I’m running a slightly modified version of phpMyID and it seemed to work ok when I tested the punycode URI with the OpenID Page Test at openidenabled.com (they don’t seem to support IRIs).
I’m also curious to know whether you could obtain my name and email address automatically from my server if I had left those fields blank? And what if the values were not blank, but different - which would take precedence?
I’ve been fascinated at some of the transparent OpenID support that’s being deployed. SeriousEats.com’s internal login system is OpenID-powered (though not really exposed yet) and uses email address for login; I think the eventual goal is to move to something like what you’ve done here.
Based on the results of my Unobtrusive OpenID post, it is quite evident that there is a lot of partial knowledge about OpenID out there. While my knowledge on the subject is far from complete, this post is my attempt to share what I have...
[more]
Sam Ruby’s recent interest in OpenID might be the best thing that could happen. With the size of his audience (2234 subscribers on Bloglines only), his deep understanding of how to spread stuff like this and his desire to hack it is bound to...
I’ve been quiet lately because all my spare time got sucked into OpenID. I had intended to add OpenID support to ongoing myidspace project but Sam Ruby’s tinkering with OpenID got me to change my priorities. Monkey see, monkey do. What people...
I got similar CGI-failure using MyLID from my WikiLog header [link] ....
traceback:Traceback (most recent call last):
File “gateway.cgi”, line 45, in ?
identity.validate(dict(cgi.parse_qsl(os.environ['QUERY_STRING'])))
File “/home/rubys/mombo/identity.py”, line 53, in validate
writeComment(session['parent'],title,body,decache=True)
File “/home/rubys/mombo/post.py”, line 230, in writeComment
raise message
POST limit exceeded
OK, I researched into the problem Bill encountered. “POST limit exceeded” is my generic message for spammers. Originally designed as a throttle for three posts in a row, with a few adjustments; it has evolved into a “three strike” policy where number of recent posts is only one factor.
In this case, the message that Bill was trying to post was:
Testing with LID URI in header of my WikiLog. http://webseitz.fluxent.com/wiki
Here’s the strike count:
Posting a raw URI, not as a link, within the post counts as a strike.
Posting the same URI within the post as was used to identify the author counts as a second strike.
Not having either posted to my weblog in the past 90 days or having visited this weblog from that IP address with the past seven caused Bill to be identified as a stranger and got this post an additional third strike.
At the present time, I doubt that there are any spammers that authenticate with OpenID, but I have no doubt that that will change over time. Given that the above post just barely met the threshold and wouldn’t be considered typical for comments on other weblog entries, I’ve decided to make only the most modest of adjustments to my algorithm to accommodate this:
Posts which are authenticated with openid are now given one additional strike.
I invite Bill to comment back to test this. Note: as more than an hour has elapsed, if he does post back from the same IP address, he will no longer be considered a stranger.
Occasionally I’ve gotten some comments about my use of LiveJournal for my weblog. I like LiveJournal for a lot of reasons, and the main reason people seem to be opposed to it is that they don’t want to create a LiveJournal account just to be able to...
Sam, my own openid client gets just openid.mode=id_res and open.user_setup_url back from Vox even when I am signed-in at Vox which means Vox refused the immediate mode in favor of explicit sign-in. Are you doing any special to get the successful checkid_immediate call? Rather puzzled here.
Nevermind. It was the browser cookies from Vox which isn’t present when running from the my java-based server test suite. Egads. This is not going to be pretty... [Don mutters as he descends into the darkness]
I wonder if I’m the only one who’s a bit suspicious of OpenID? But then, I must admit, I think any ‘online identity systems’ is a terrible idea. Ever since analyzing Passport I’ve come to suspect that any formalized, distributed identity system...
I tried again earlier today (from previous IP, not this one). Didn’t get the same CGI error as before. But did end up with an empty “edit your comment” form (empty other than having “anonymous” in the name).
OpenID for non-SuperUsers: Based on the results of my Unobtrusive OpenID post, it is quite evident that there is a lot of partial knowledge about OpenID out there. While my knowledge on the subject is far from complete, this post is my...
There have been some great projects lately about moving information control into the hands of users such as Move My Data. In that vein there is the idea of profile data using microformats. For example you have a list of your friends marked up on...
I’ve been meaning to install Alan Castonguay’s wpopenid plugin to enable OpenID authenticated comments for some time now. I finally got around to it tonight, and was overall pleased with it, despite a few minor bugs. More importantly...
This blog now supports OpenID for comments. I got a favorable response and that was enough for me to use it here. I am using the wpopenid fork created by Will Norris. The plugin is extremely easy to use, but I hope that OpenID is tightly integrated...
I’ve been meaning to install Alan Castonguay’s wpopenid wordpress plugin to enable OpenID authenticated comments for some time now. I finally got around to it tonight, and was overall pleased with it, despite a few minor bugs. More importantly...
OpenId in really good movement for any blog system. I do not know about this Openid system before I read your post, many thanks for your tip about open id.
I don’t really understand all I’ve read about openID so maybe actually using it will fill in some gaps? In the URI field I put my openID URI instead of my usual personal domain name. I guess in a minute or two I’ll see what the big deal is yah?
That wasn’t very exciting. I had to tell myopenid that yeah it’s me in order to post the test comment. I’m going to have to play with this on a couple of domains I own, but so far I don’t understand why I would want an OpenID.
Upgraded to WordPress 2.5. My OpenID plugin may be broken. Investigating. Update: I’ve been saddened by the state of OpenID integration in WordPress — none — for quite some time. 2.3 and below just didn’t offer enough logic to be able to...
Am I just supposed to know that the URI is where my OpenID goes? I’d normally put my site there, but I haven’t set up my site as an OpenID delegate yet.
Hey. Just testing.
I think this openid stuff is really cool. Thanks also for your other post about delegation - i found it very helpful in setting mine up. In that post, you list an example for delegation using one specific provider, myopenid, but in order to find out what url to use for other providers, i had to look at people’s test comments on this post, and see who it showed their provider as. I am wondering if you or anyone else has compiled or is thinking of compiling a chart or something showing how to set up delegation for several different providers. Just a thought. Thanks, Joe.