OpenID for Web2Py

[Bottiger]

I've been trying to get Massimo's OpenID implementation to work, which
seems to be the only OpenID implementation for Web2Py.

It doesn't seem to work with either Yahoo or Google, each time saying:

"Sorry! Something is not quite right with the request we received from
the website you are trying to use. Please try again in a few minutes."

I've hosted it on a public domain and changed trust_root and return_to
variables to be valid, so I know its not a localhost problem. So far I
can't figure out what's wrong, as it seems to look exactly like the
Django example on the python-openid site.

Does anyone have similar problems or suggestions? I already know about
CAS and I don't want to use it.

[Yarko Tymciurak]

you might try looking at what gets sent back and forth to try to discover what's wrong;  wireshark or LiveHTTPHeaders for Firefox might help...

[Bottiger]

I don't need wireshark. Its in plain sight. The problem is I have no
idea what is wrong with it.

https://open.login.yahooapis.com/openid/op/auth?openid.assoc_handle=crOLLLvQds2YOP5jXvLaBs1gVC1eIpFhqmxcDxETwNFxG68HIItiJzZhrffh4bn00jyuPgNt2clv3bSaQvG9yNJ8EIx._Ja768i256WwR4sUXnKEMimMy3jd4VJcT2dfcw--&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.realm=http%3A%2F%2Ftest.domain.com%2Fopenid%2Flogin%2FstartOpenID&openid.return_to=http%3A%2F%2Ftest.domain.com%2Fopenid%2Flogin%2FfinishOpenID%3Fjanrain_nonce%3D2009-07-21T08%253A44%253A37ZYQiIKa

where test.domain.com is an actual subdomain I own that is mod_proxied
to web2py.

On Jul 21, 1:18 am, Yarko Tymciurak <yark...@gmail.com> wrote:
> you might try looking at what gets sent back and forth to try to discover
> what's wrong;  wireshark or LiveHTTPHeaders for Firefox might help...
>

[Hans Donner]

Can you point me to "Massimo's OpenID implementation" that you are referring to?
Perhaps you could send me teh code that your are using?

When I get back from work I'll try to have a look.

[mdipierro]

My OpenID implementation was just an attempt to port python-openid to
web2py. I never tested it so I am not surprised it does not work.

Massimo

On Jul 21, 5:09 am, Hans Donner <hans.don...@pobox.com> wrote:
> Can you point me to "Massimo's OpenID implementation" that you are referring to?
> Perhaps you could send me teh code that your are using?
>
> When I get back from work I'll try to have a look.
>

[Hans Donner]

I'd still like to dive into this (but from the reply below, it may
take some additional time)

[gluegl]

I am using http://www.internetid.ws/index.php
Disclaimer, this is my service and I have implemented here also
http://TwiTr.me
-G

[Bottiger]

Here is the link to Massimo's OpenID implementation.

http://groups.google.com/group/web2py/attach/8f44bbaf1a88796b/web2py.app.openid.tar?part=2

If anyone would like to help debug it with me and get it working
together, I am on IRC.

On Jul 21, 3:09 am, Hans Donner <hans.don...@pobox.com> wrote:
> Can you point me to "Massimo's OpenID implementation" that you are referring to?
> Perhaps you could send me teh code that your are using?
>
> When I get back from work I'll try to have a look.
>

[Hans Donner]

I've used Massimo's code, installed it in a new app and executed it
(using myopenid).

I'd had to change
#trust_root = 'http://127.0.0.1:8000/openid/client/startOpenID'
trust_root = 'http://127.0.0.1:8000/openid/client'
return_to = 'http://127.0.0.1:8000/openid/client/finishOpenID'

to give me a proper reponse

Otherwise I got:
u'http://127.0.0.1:8000/openid/client/finishOpenID?janrain_nonce=2009-07-21T20%3A03%3A08ZydTT8V&openid1_claimed_id=http%3A%2F%2Fuseyouridhere.myopenid.com%2F'
not under trust_root
u'http://127.0.0.1:8000/openid/client/startOpenID'


Does that help you? (the error message you posted is not helping here)

The next stop is web2py's response:
message
:
something heppened:{'failure_reason': "return_to does not match return
URL. Expected '/openid/client/finishOpenID', got
'http://127.0.0.1:8000/openid/client/finishOpenID?janrain_nonce=2009-07-21T20%3A04%3A27ZN8rsX1'",
'error': 'OpenID authentication failed.'}

[Hans Donner]

commenting out the return_to in finishOpenID did the trick (it will
take the return to as defined in the constant. The URL only provides a
path without the servername.

So two minor changes made it work...

[Tim Michelsen]

mdipierro schrieb:

> My OpenID implementation was just an attempt to port python-openid to
> web2py. I never tested it so I am not surprised it does not work.
>

check out here:
http://gminick.wordpress.com/2009/06/18/next-step-openid-logging/
http://gminick.wordpress.com/2009/06/21/the-file-structure-of-my-project/

He tested it and seemed to have succeeded.

Best,
Timmie

[Hans Donner]

next challenge - integrate it with auth....

[hcvst]

Hi,
here's a consumer example I wrote. It implements
openid.store.interface.OpenIDStore
and makes it easy to use the openid lib in a controller (example
included).

http://pastebin.co.za/22362

HC

[hcvst]

and a still rather messy example using the same Web2pyStore with
openid
to implement the server side.

http://pastebin.co.za/22363

I'm trying to write an openID server app.

By tomorrow I should commit a functional version to http://github.com/hcvst/icy-openid.
I haven't got quite the hang of git yet.

HC

[Bottiger]

Yes, I accidentally missed your 2nd message and fixed it on my own. I
also found another error.

So as a canonical reference, here are the 3 things that need to be
edited to get Massimo's OpenID to work.

1.

trust_root = 'http://127.0.0.1:8000/openid/client/startOpenID
change this to
trust_root = 'http://127.0.0.1:8000/openid/client/

2.

remove this extraneous line at 105. It creates a URL html tag when it
is supposed to be a simple URL.

return_to = URL(r=request,f='finishOpenID')

3.

change this at line 130. sreg_response was None for me. I believe sreg
is an optional argument that some OpenID providers may not provide.

'sreg': None if sreg_response is None else sreg_response.items(),


So now we finally have a long overdue working OpenID implementation
for Web2Py.

On Jul 21, 1:14 pm, Hans Donner <hans.don...@pobox.com> wrote:
> commenting out the return_to in finishOpenID did the trick (it will
> take the return to as defined in the constant. The URL only provides a
> path without the servername.
>
> So two minor changes made it work...
>

> On Tue, Jul 21, 2009 at 22:07, Hans Donner<hans.don...@pobox.com> wrote:
> > I've used Massimo's code, installed it in a new app and executed it
> > (using myopenid).
>
> > I'd had to change
> > #trust_root = 'http://127.0.0.1:8000/openid/client/startOpenID'
> > trust_root = 'http://127.0.0.1:8000/openid/client'
> > return_to = 'http://127.0.0.1:8000/openid/client/finishOpenID'
>
> > to give me a proper reponse
>
> > Otherwise I got:

> > u'http://127.0.0.1:8000/openid/client/finishOpenID?janrain_nonce=2009-0...

> > not under trust_root
> > u'http://127.0.0.1:8000/openid/client/startOpenID'
>
> > Does that help you? (the error message you posted is not helping here)
>
> > The next stop is web2py's response:
> > message
> > :
> > something heppened:{'failure_reason': "return_to does not match return
> > URL. Expected '/openid/client/finishOpenID', got

> > 'http://127.0.0.1:8000/openid/client/finishOpenID?janrain_nonce=2009-0...",
> > 'error': 'OpenID authentication failed.'}

>
> > On Tue, Jul 21, 2009 at 10:46, Bottiger<bottig...@gmail.com> wrote:
>
> >> I don't need wireshark. Its in plain sight. The problem is I have no
> >> idea what is wrong with it.
>

> >>https://open.login.yahooapis.com/openid/op/auth?openid.assoc_handle=c...

[Bottiger]

I've uploaded to my website the minimal version of the working OpenID
implementation application. Just unzip in your application directory
and go to http://127.0.0.1:8000/openid/client/startOpenID to start.

I couldn't create a w2p file from it because Web2Py kept complaining
about an internal error.

http://www.codexon.com/temp/openid.zip

[dlypka]

Thanks so much for this work.
I tried it.

It correctly took me to the Open ID confirmation at http://openid-provider.appspot.com
and then I clicked Yes.
This is the result I got back:

message
:
something heppened:{'url': 'http://openid-provider.appspot.com/
dlypka', 'pape': <openid.extensions.draft.pape5.Response object at
0x017CDD70>, 'sreg': [('nickname', 'dlypka')]}
admin request session response

Is this the response to be expected?

I am not sure what the expected result should be.

Thanks.

On Jul 21, 7:57 pm, Bottiger <bottig...@gmail.com> wrote:
> I've uploaded to my website the minimal version of the working OpenID
> implementation application. Just unzip in your application directory

> and go tohttp://127.0.0.1:8000/openid/client/startOpenIDto start.

[dlypka]

I also try it on my local App Engine DEV server but no luck.
I changed all 8000 to 8080 as per the App Engine Development Server,
but still
when I click Submit, I get the 'Invalid Request' page.

Any suggestions?

Thanks.

On Jul 21, 7:57 pm, Bottiger <bottig...@gmail.com> wrote:
> I've uploaded to my website the minimal version of the working OpenID
> implementation application. Just unzip in your application directory

> and go tohttp://127.0.0.1:8000/openid/client/startOpenIDto start.

[mdipierro]

I have not looked into this in some time but one problem I remember is
that OpenID requires the server to make an http request via urllib and
GAE requires using fetch instead of urllib.

If you only need to authenticate with google openID on GAE that dan be
more easily done with

gluon/contrib/login_methods/gae_google_account.py

That works. Eventually OpenID should be implemented as aplugin in a
similar fashion.

Massimo

[Hans Donner]

Don't know about the content like the name of the nick, you should be
able to tell.
But the fact you get shown a nick indicates everything went well.

Remember, it's now only a proof of concept app, so nothing usefull is
yet done besides getting your openid info

[hcvst]

Hi,

I've uploaded a working openid consumer to http://w2popenid.appspot.com/oidconsumer
It uses the Web2pyStore I posted above ( http://pastebin.co.za/22362 )
and a custom fetcher (Web2pyFetcher) that permits headers etc. to be
send.

Please see whether it works for you. My battery is about to die, so I
don't have time to
post the source. Will post it later.

Cheers,
HC




You can download the app from http://w2popenid.appspot.com/

On Jul 23, 4:16 pm, Hans Donner <hans.don...@pobox.com> wrote:
> Don't know about the content like the name of the nick, you should be
> able to tell.
> But the fact you get shown a nick indicates everything went well.
>
> Remember, it's now only a proof of concept app, so nothing usefull is
> yet done besides getting your openid info
>
> On Thu, Jul 23, 2009 at 12:05, dlypka<dly...@gmail.com> wrote:
>
> > Thanks so much for this work.
> > I tried it.
>

> > It correctly took me to the Open ID confirmation athttp://openid-provider.appspot.com

[Bottiger]

I have not tested it with GAE. GAE has weird limitations.

I do not have a GAE account. Google wants me to give them my cell
phone number to verify through SMS and I refuse to do this.

[dlypka]

Hi:

I tried http://w2popenid.appspot.com/oidconsumer

It is amazing to see the web2py Admin page up on the App Engine.

A few results:

1. dly...@gmail.com does NOT work.
I (and my associates) want the standard email address to work. The
URL Open ID is too clunky for most people we deal with.

2. I tried a URL version of my OpenID, which is

http://openid-provider.appspot.com/dlypka

That got me to the Open ID page, but it asked me to first log into
Google, which I believe is wrong, since I am already logged in to this
web2py forum.

So I conclude that the API is working great from web2py on GAE to
OpenID, but it would be nice to have it recognize that I am already
logged into Google.
However I went ahead and did the Google login that it was asking
for, and then I did the the Yes response and it then gave me that page
with
the response codes:

resp : <openid.consumer.consumer.SuccessResponse id='http://openid-
provider.appspot.com/dlypka' signed=['openid.return_to',
'openid.mode', 'openid.identity', 'openid.sreg.nickname']>
admin request session response

That was great!

Then I closed the browser and went back in to try it all a second
time, and this time it did NOT ask me to log into Google.
So that was good, that it recognized my current Google login which it
had "seen' me do 'inside' OpenID
I assume it does not recognize my previous login to this forum,
because it was done 'outside' of OpenID.

I guess OpenID only recognizes logins which were done 'inside' its
API.
If so, that is a big negative for the immediate future. It means at
the moment, the regular user would have to find the 'special' OpenID-
enabled
login page for a given website in order to benefit from OpenID.


-------------------------------------------------------------------------

I looked at http://pastebin.co.za/22362
For that, it looks like one needs to also have the code for
openid.store
I assume the word 'store' means 'storage', rather an a 'store' where
one buys things...

Then I downloaded web2py.app.oidconsumer.w2p.gz
I extracted it and got the oidconsumer.w2p, but web2py failed to be
able to install it.
So I renamed the .w2p to be a .tar and I unpacked it with winrar.
That gave me the oidconsumer folder with all the source.
I copied that folder into my web2py v 1.65.5 Applications folder
and voila, it ran perfectly and still recognized my previous Google
login (which I had done 'inside' OpenID).
So I guess the code for openid.store is in there somewhere...

Next I will try it on App Engine. I assume it will work.

Thanks so much!

On Jul 24, 8:21 am, hcvst <hcv...@googlemail.com> wrote:
> Hi,
>

> I've uploaded a working openid consumer tohttp://w2popenid.appspot.com/oidconsumer

> It uses the Web2pyStore I posted above (http://pastebin.co.za/22362)
> and a custom fetcher (Web2pyFetcher) that permits headers etc. to be
> send.
>
> Please see whether it works for you. My battery is about to die, so I
> don't have time to
> post the source. Will post it later.
>
> Cheers,
> HC
>

> You can download the app fromhttp://w2popenid.appspot.com/

[mdipierro]

Keep us posted. It would be great if you could post and be the
maintainer of a web2py openid app.

Massimo

On Jul 25, 6:49 am, dlypka <dly...@gmail.com> wrote:
> Hi:
>
> I triedhttp://w2popenid.appspot.com/oidconsumer

> I looked athttp://pastebin.co.za/22362

[hcvst]

Hi,

Here is a sample openid provider:

http://w2popenid.appspot.com/oidprovider

The Web2pyStore class implements the OpenIDStore interface. It is used
to
store associations and nonces in the DB as the opend id library only
offers
implementations to store this data in the filesystem or memory, which
would
not work on GAE.

Also, for it to work on GAE on has to provide a custom http fetcher. I
included the class
Web2pyFetcher alongside Web2pyStore. It uses the GAE fetch method but
unlike the
gluon.tools wrapper also uses the http header parameter.

I don't think that a google email address is a valid openid. It's
probably just a hack
that google built but one can prob. enhance the consumer to spot
google email
addresses and use the google api for logon.

The lib does support XRI though. Try my i-name =hc for example. That's
a nice,
short and a globally unique id.

I'll upload the provider app later.

Regards,
HC

[mdipierro]

fantastic!

> ...
>
> read more »

[dlypka]

Not sure how to fully exercise http://w2popenid.appspot.com/oidprovider

User test
Password test
worked.

User http://w2popenid.appspot.com/oidprovider/openid/id/test
Password test
does NOT work

----------------------------------------------

In oidconsumer,
for your suggestion to try i-name =hc

I simply typed 'hc'.
but did not seem to work. It gave a ticket.

> ...
>
> read more »

[dlypka]

I have my own team of 3 developers now, and web2py openid happens to
be our current task,
so I believe we have the manpower to help with and/or maintain it.
I'll keep everyone here posted with our progress and source code.

We also have some changes for T3.

- Dave Lypka.

[hcvst]

Hi,

both the consumer and the provider sample apps are now available for
download from
http://w2popenid.appspot.com

I have also include some rudimentary HOWTOs on how to use them and on
how
to build your own.

Code and doc still require clean-up, but I am sure you did not expect
anything else.

@Dave, I have also tried to address your questions regarding XRI and
provider usage
in general.

Regards,
HC

=hc

> ...
>
> read more »

[dlypka]

Great use of T3...
OK, I will have a look in detail over the next few days..
It is a wonderful contribution.

On Jul 26, 7:00 am, hcvst <hcv...@googlemail.com> wrote:
> Hi,
>

> both the consumer and the provider sample apps are now available for

> download fromhttp://w2popenid.appspot.com

> ...
>
> read more »

[Bottiger]

So is hcvst part of your team of 3 people?

I don't understand why Massimo is asking you to maintain it when the
code seems to be coming from hcvst.

I am asking because I was trying to turn this into a cooperative
situation, and then two different people started hacking together
their own implementation. Not that I'm complaining, well actually I
am, because I felt like I just duplicated effort and didn't get any
recognition. But if you two are planning to do long term maintenance
and features, then I suppose I'm fine with that.

> ...
>
> read more »

[hcvst]

Hi,

when I first came across this post, I was working on a provider so I
just posted my code.
I think the only difference is that my version uses the Web2pyStore -
the rest uses the Janrain
Python openID library, just as Massimo's original implementation
does. As I had a working example, I
did not look much deeper into what was already here, as the example
here used the FileStore
and I wanted to use the web2py DB.

I do not know what Dave and his team are planning to build, but I
guess it will be a bigger app.

I am planning to add some helpers to w2popenid so that it's easier to
use. A bit like Auth()

---
def server(): return dict(server=w2popenid.Server())
def foo():
oresp = w2popenid.Consumer().check('myOpenID')
...
---

@Dave, what are you building? :-) I really really need a full featured
openID provider for web2py.
My first attempt (the whole w2popenid thing is derived from it) is
here:
http://github.com/hcvst/icy-openid
and intended to replace the php! provider at http://icy.co.za asap.
Can we work together?

Regards,
HC

> ...
>
> read more »

[Bottiger]

Is anyone working on incorporating OpenID with auth? I need to know
because I am not looking forward to duplicating effort again if
someone has already started or finished it.

On Jul 27, 1:07 am, hcvst <hcv...@googlemail.com> wrote:
> Hi,
>

> ...
>
> read more »

[hcvst]

Hi,

a first attempt at integrating with auth.

http://groups.google.com/group/web2py/browse_thread/thread/1d543bb358411a67/590130b3c38c87af#590130b3c38c87af

Regards,
HC

> ...
>
> read more »