Timestamps are in UTC.
i need a name for a federated data and profile sharing extension to OpenID
openaccount and openinfo dont have any domains available
what are you building?
karstensrage: it's an extension to OpenID that allows identity providers to provide more information than the defined set of Sreg fields
it allows clients to fetch information after login
and it also allows client to write information back to the identity provider
to store custom information about a user, or to update other fields (with the user's permission)
if they are not defined apriori how do you request them?
what do you mean?
if they are not defined on the identity provider
then the client recieves feedback telling it so
but it doesn't matter that it doesn't exist
because the client can prompt for it
well i can query the sreg defined fields but i dont know about others
and then save it to the identity provider
as a client, it doesn't matter if you don't know the others
you can check to see if the identity provider has it, if not, prompt the user and save it back again
so client asks for blood type, your thing doesnt have it, client prompts user for blood type and you save it off for the next time?
if the identity provider doesn't have it, the client will recieve an error saying the field isn't defined - the client can then prompt the user for the information on their site and then when they have entered it, the client can make a WriteInformation request
hmm
if the client doesn't have write access to that field though, they need to redirect to a page on the identity provider that prompts the user for permission first
what problem are you solving?
the problem of information being out of sync
one client wants BloodType, one wants bType.. and you get into a mess of cruft
yes and no
clients can either write information to their own namespace, in which case, they don't need initial write permission
e.g.
if my client site is hosted at www.mysite.com
then i can write fields that look like: www.mysite.com:fieldname
without having to ask permission
so sites can store information about a user for stuff specific for them
<hachque> the problem of information being out of sync
that doesnt solve the stated problem at all
yes it does
that just lets client store their own crap
because the email address entered on the identity provider will be the same on all client sites
same with the other fields
ok but how are you going to resolve myid@provider.com:www.mysite.com:BloodType and myid@provider.com:www.mysite.com:bType
ok but how are you going to resolve myid@provider.com:www.mysite.com:BloodType and myid@provider.com:www.myothersite.com:bType
i have a few ways of solving this problem
they aren't definite solutions
but they should minimize it
1) for very common fields, providers can simply use aliases, e.g. real_name is mapped to fullname
2) maintain a list on the extension's site that lists registered fields - that way people wanting to use common information can lookup to see if there is already a defined name for the information they want
3) specify a naming format for identifiers, e.g. all words should be fully spelt, no capitalization, no underscores and no spaces
obviously, these restrictions need not apply for the site's own namespace
but for when writing into the global area those formats should be recommended
the other thing this allows sites to do as well
is "sort of" expose APIs to information
but instead of each site having it's own API
they have just list the information field names on their namespace
for example
say i have extremely popular website abc.com who use OpenID for authentication
they can put their custom data into their namespace like
abc.com:someimportantuserfield
now
any other website that also uses OpenID for authentication
can then say, i want to read this bit of information relevant to that website
and read abc.com:someimportantuserfield (with appropriate approval from the user)
what are you trying to achieve?
the idea of the site namespaces are that you don't clutter up the global area with information only relevant to one site
flaccid: it's an extension to OpenID
federated data and profile sharing
much more advanced than SReg
have you seen AX?
no
check it out
o ffs i wrote all that code for nothing
lol
how many sites actually use AX though?
i mean, why is google and all those big identity providers galloping around with oAuth if AX already does the data sharing part?
auth != data exchange
you could use both, if you require auth
i thought oAuth was for sharing data, but it required pre-shared keys between parties
which makes it useless when you have hundreds of identity providers and thousands of relying parties
AX extends authentication
oAuth is authorisation
does OpenID make oAuth useless then?
if all oAuth does is authentication
authentication != authorisation
it all comes back to what you are trying to do
how many providers actually have AX implemented though?
i know that most libraries don't have AX functionality built in either
huh..
google does
i just presumed that this never existed since no-one uses it
quite a few do, but i don't really know, you could research but
stackoverflow doesn't use it
ohloh doesn't use it
a lot of libs do have AX classes
well a lot of OPs don't do much extension wise/use the full power of openid
i'm going to do one with a lot of functionality soon. heh when i get the time. but there is no reason why you can't - the tools are all there. choose your lang..
see i thought that websites had those Google buttons and all that because the login process also use oAuth
and then they had the OpenID button if you were using just OpenID
depends which provider. google uses oAuth for some stuff, but i can't remember if they use it with openid auth
and i was like, well that isn't going to work very well because then sites need to list every provider that they want to do data sharing with
well google forked openid, yes which is another whole story. iirc oauth is in there somewhere at least with fbc
i mean google connect or google friendsconnect whatever its called
yes. so the standard extensions are AX and SReg. if you do an RP or an OP that supports both, they will have access to all potentially shared data. oAuth can be used on top to grant RPs for example default data profiles
just start off with openid+sreg+ax and check what the OPs and RPs in question support and make sure you cover what they do
if there is AX, why is there still SReg?
i mean, wouldn't it be better to scrap SReg and replace with AX
well thats not a bad question. but in reality its hard enough for providers and RPs to even support one to begin with. a lot of the time they just do the openid auth and thats it
the problem is that with SReg, there's libraries out there like phpMyID, etc.. which only do SReg
when really, they should be supporting AX and not SReg
because AX supersedes it really
the other problem you have is
site owners like me, who have very data rich sites
see OpenID as being unable to perform what is needed
and don't adopt it
for that very reason
after all, if the user still have to enter in a fair amount of information, then the only thing it provides is universal authentication
and it really isn't worth navigating the terribly undocumented source code of the JanRain libraries to do that
phpMyID is not a library. its basically crap. checkout php-openid
the janrain libs are documented and have examples in them
JanRain is so overcomplicated and undocumented
it's not funny
thats because its php. python-openid rox
with JanRain it takes weeks if not months to implement an identity provider
if you can't read phpdocumentor then it seems out of your depth
phpdocumentor?
it took me about 5minutes to setup an OP with the example/provider
there's no examples ._.
http://openidenabled.com/files/php-openid/docs/2.1.3/
this comes with the library archive http://openidenabled.com/php-openid/trunk/examples/server/server.php
look how many classes there are o_O
why is there not just a single class that has some functions that you call to make it work
yeah so thats the object implementation. its an OOP library after all
because openid is not that simple.
the only thing i actually used JanRain for was the check_authentication proces
it would be bad programming to implement 1 class
i did everything else manually in my implementation because i couldn't understand what each and every function did in all of the JanRain classes
i'm really not seeing a problem. an example is provided out of box and the code is quite small for the driver program and is separate from the libs themselves
the server example is terrible
yes i agree it is bad
php is bad to begin with
PHP isn't bad if you use OO
so that looks like a contradiction to me. php-openid is OOP
like SimpleOpenID
another example of a badly designed piece of software
how is it badly designed?
i don't have to wad through documentation or poorly written examples
i can look at the function names
and know what i need to do
and because it is one class, its support scope is incredibly limited
from memory it is quite outdated
but at least it's understandable
with JanRain, i have no idea what it's doing
it's not like
here call this function at this stage
and call this other function here
and your done
you can't extend that class very well
it's
wad through a whole bunch of shit and try and trace how the JanRain PHP code actually matches up with what the spec says
yes. this is what a library is. the library is documented. if you don't understand it, unfortunately thats your limitation
no, the limitation is JanRain
it's not organised well
sure. but they are providing it for free
complainers don't fit well in open source
it's certainly not helping adoption of OpenID though
yes i agree. just remember they are a commercial company and need to pay their employees
the basic situation, is you have the option to improve openid support. janrain isn't the only library out there also
yes, but as you just said, the other libraries are outdated / only support SReg / etc..
thats right
you can change that
how?
if http://wiki.openid.net/Run-your-own-identity-server is not suffice. well you can develop or improve one of your choice
isn't this the power of open source
contribute back ..
but there isn't enough documentation on the specs to roll my own
like right here: http://openid.net/specs/openid-authentication-1_1.html#mode_check_authentication
check_authentication is a bitch
i followed the specs
and my implementation did not work
the specification is all you need if you know how to program etc. there is also thousands of pages on the internet you can research. hacking the openid libs helped me understand the spec
i have no idea why you are doing openid 1.1
?
http://openid.net/specs/openid-authentication-2_0.html
http://openid.net/specs/openid-authentication-2_0.html#compat_mode
probably because most of the libraries available only do 1.1
well, see even 2.0 has check_authentication
http://stackoverflow.com/questions/1481114/openid-checkauthentication-not-working
that question is from months ago
have a look at this http://wiki.openid.net/Libraries?SearchFor=libraries&sp=1
http://www.openidenabled.com/php-openid/ supports openid 2.0, sreg and ax
as stated, i don't like using libraries if they are too bloated for me to be able to read them and understand what's going on
i should be able to look at the source code
read the comments
and go, i know what this does
i am aware of that check/immediate. its not implemented in the example. but if you understand the workflow, you can implement it
?
openid is not simple. you also have to work with what you have. complaining to me aint going to change the situation you know
okay
well
since check_authentication is the only part i don't understand why it won't work
can you tell me why http://stackoverflow.com/questions/1481114/openid-checkauthentication-not-working gets a check_authentication denied from RPs?
ah yeah sorry this is dif issue to the check_immediate
i don't even know what check_immediate is :'
i think you have to debug this one. mainly around: When using "check_authentication", the OP MUST NOT issue more than one successful response to a request with the same value for "openid.response_nonce".
check if the OP already issued a [openid_mode] => check_authentication against that nonce
huh?
but if i'm validating with an RP for the first time
i should not get check_authentication denied
i shouldn't get check_authentication denied at all, since i'm approving in all cases
thus debug
i've tested the php-openid OP and RP examples against each other and they don't have this problem
i did debug
what you see in the stackoverflow post is the debugging information
thats not enough. like i said, debug both the RP and the OP. check the RP's source code to see what condition is making it return denied..
tracing the relying party error would involve looking inside JanRain
and that source code is impossible to debug
welcome to php
but its not that hard
it's not PHP that causes that problem
it's the fact that JanRain has function calls flying left right and center
php does not provide traceback so it sux
the object inheirtence is crazy. but once again, you have to work with what you have
complaining gets you nowhere.
i know, but it doesn't change the fact they are valid points and someone that actually understands this stuff should rectify the problem
they should?
the problem that you can't read documentation?
there is a bug tracker if you find the bug with this denied auth. http://trac.openidenabled.com/trac/newticket?project=php-openid and you can submit a patch when you make the fix: http://www.openidenabled.com/contribute/
yes they should because i don't understand how this all works - and the documentation for OpenID is shit as I've said
why should they?
why don't you tell them.. openid@janrain.com
because it's impossible to just pick up OpenID and implement it in a website
they will probably offer you RPX
?
??
???
what's RPX?
http://rpxnow.com/
so it's an alternative to OpenID?
no, its an openid solution
its essentially SaaS
oh okay
so they probably wont improve the docs on it then since they want to direct people to RPX
meh im on dodgy wi-fi atm
well i've wasted too much time on my OpenID extension to spend more time on an easy-to-use OpenID library
well that is your choice
not everything is easy you know :)
but it should be ._.
i don't understand why OpenID is as complex as it is
you have big expectations
i wrote my own cross-server authentication and it doesn't require all this Yadis or SHA1 encryption stuff
its complex because its a real tech that uses practices like crypto to make it secure
well congrats there, its likely not secure
and essentially you did the bad practice of a fork or reinvention of the wheel. but that is also your choice
it was as secure as OpenID
you couldn't verify yourself as someone else
don't you think its ironic that you were complaining about openid support, yet you made your own 'openid' that is not supported anywhere
that's because i didn't realise that it was possible to implement data sharing as an extension to OpenID
so i thought i didn't have any choice but to redo that area
ok then. i recommend a little bit more research next time
my research involves downloading examples :P
when i was downloading examples, none of them used AX
i didn't even know about AX until this conversation today
i have no idea why you would expect examples to be available for everything
cos later on i realised i could attach a field to the OpenID authentication
that field points to a URI which is an XML document describing the endpoints for data sharing
because i learn by examples
not a great habit
i learn best by reading code that others have implemented
i don't learn by reading specs or wads or documentation
or searching through 20 files to find out where that function is defined
if thats the case, i have idea what your problem is because all the code is given to you and is open source
if there's a nice linear example
well i am sorry, that is the status quo
then i'm all good
accept it.
and..
but it doesn't have to be status quo
i found this with my first google search: http://stackoverflow.com/questions/1183788/example-usage-of-ax-in-php-openid
google search of what?
sure, and like i said, you have the opportunity to change that. don't imply that it is the responsibility of other people.
google:// attribute exchange php-openid
probably the most basic keyword search
except that i had no idea that attribute exchange even existed
sure
not to mention that stackoverflow is dated Jul 26 whereas my original implementation was started at the beginning of this year
i'm sorry that you didn't find data exchange in your research. i found it very early on when i started my interest in openid
maybe it just wasn't popular at the start of 2009 then
its because SReg was there from openid 1
good providers/parties will implement and update as required. this is also problem in adoption as we have identified
and i only ever looked at OpenID 1.1 ._.
well first google search of openid specification brings you to http://openid.net/developers/ which mentions both the version and also sreg and ax
it links you practically to all you need to get started
yeah
maybe it's just that Attribute Exchange doesn't scream Read/Write Data Sharing at me :P
o_O JanRain libraries are throwing PHP warnings
heh i think they say its normal
lower your err output levels
don't have to worry about that with python :)
hey hachque i have a test op and rp from php-openid examples if you wanna test?
hachque: i tested an auth and it was successful including sreg
flaccid: i dont have the code that produced that anymore
i replaced it with calls to JanRain
sounds like you hacked up stuff
anything to get it working ;D
it does work
works fine with JanRain
the two URLs i gave you are out of box
it just didn't work with my maunal implementation
i already know the current implementation i have works
your manual implementation appears to be where the problem is
well i presumed it would be something as simple as a missing parameter or incorrect value
bad assumption
what else could it have been?
i mean, that's the only thing there is
parameters and values :P
i don't support hacked up 'manual' implementations, especially when only http response/requests are given to work with
there is a lot more to look at then just one request/response. more occurs than just that
either way, i couldn't replicate the problem
anyone up on the latest python/django wise for openid? i think i am going to have to port/rewrite a lot to work with at least django 1.1?
These logs were automatically created by OpenIDlogbot on chat.freenode.net using a modified version of the Java IRC LogBot.