JOID as a Identity Provider
13 views
Skip to first unread message
pcurtis
Jan 22, 2008, 11:26:24 AM1/22/08
to joid-dev
I have spent the last couple of days working through the JOID example
provider. In the end, I found it was much faster to rewrite the
OpenIdServlet and the login.jsp. I now have a working provider (1.1 &
2.0) as well as the knowledge of where certain things need to happen.
However, to accomplish a cleaner usage, there were items that I needed
to change. For example, I had to add a public method to add values to
a SimpleRegistration. I also had to make public methods in some
interfaces to allow access to the information.
I'm at the point where I can actually build a 'login.jsp' that
authenticates against something useful. The point in the 'login.jsp'
has been clearly identified. In addition, I have identified where the
'sreg' information needs to be added.
Now I'm looking to ask some general "policy" type of questions. For
example, one provider may have the user "allow" their ID to be used at
a specific site, even after authentication. This should be something
each provider decides, and should be easily implementable. Is this a
common feature of other OpenID providers? Would this be useful?
I'll publish the two major parts that were rewritten (login.jsp and
OpenIdServlet) and the few diffs for the other code, if requested.
provider. In the end, I found it was much faster to rewrite the
OpenIdServlet and the login.jsp. I now have a working provider (1.1 &
2.0) as well as the knowledge of where certain things need to happen.
However, to accomplish a cleaner usage, there were items that I needed
to change. For example, I had to add a public method to add values to
a SimpleRegistration. I also had to make public methods in some
interfaces to allow access to the information.
I'm at the point where I can actually build a 'login.jsp' that
authenticates against something useful. The point in the 'login.jsp'
has been clearly identified. In addition, I have identified where the
'sreg' information needs to be added.
Now I'm looking to ask some general "policy" type of questions. For
example, one provider may have the user "allow" their ID to be used at
a specific site, even after authentication. This should be something
each provider decides, and should be easily implementable. Is this a
common feature of other OpenID providers? Would this be useful?
I'll publish the two major parts that were rewritten (login.jsp and
OpenIdServlet) and the few diffs for the other code, if requested.
Hans Granqvist
Jan 22, 2008, 11:39:51 AM1/22/08
to joid...@googlegroups.com
On 1/22/08, pcurtis <pfcu...@gmail.com> wrote:
>
> Now I'm looking to ask some general "policy" type of questions. For
> example, one provider may have the user "allow" their ID to be used at
> a specific site, even after authentication.
>
>
> Now I'm looking to ask some general "policy" type of questions. For
> example, one provider may have the user "allow" their ID to be used at
> a specific site, even after authentication.
>
I'm not sure I understand. Can you give a example use-case?
Hans
Travis Reeder
Jan 22, 2008, 11:45:37 AM1/22/08
to joid...@googlegroups.com
Please publish your changes, anything that makes things easier is welcome.
pcurtis
Jan 22, 2008, 1:40:30 PM1/22/08
to joid-dev
Here's the use case ...
User A goes to Site A. They log in using their OpenID, and because
they have not authenticated with the IP, they are presented with the
login page. They provide their credentials, and are returned to Site
A. All is good.
Later, User A goes to Site B. They use their OpenID to login. However,
since they have already provided their credentials to their IP, there
is no need for them to do it again. At this point, however, User A
does not have any interaction, so they are potentially providing data
to Site B. An example would be User A's email address.
So, from a policy point of view, should User A have to "approve" the
use of their OpenID and data for Site B? Do other IP's ask the user
for their acceptance?
On Jan 22, 11:39 am, "Hans Granqvist" <h...@granqvist.com> wrote:
User A goes to Site A. They log in using their OpenID, and because
they have not authenticated with the IP, they are presented with the
login page. They provide their credentials, and are returned to Site
A. All is good.
Later, User A goes to Site B. They use their OpenID to login. However,
since they have already provided their credentials to their IP, there
is no need for them to do it again. At this point, however, User A
does not have any interaction, so they are potentially providing data
to Site B. An example would be User A's email address.
So, from a policy point of view, should User A have to "approve" the
use of their OpenID and data for Site B? Do other IP's ask the user
for their acceptance?
On Jan 22, 11:39 am, "Hans Granqvist" <h...@granqvist.com> wrote:
pcurtis
Jan 22, 2008, 8:36:37 PM1/22/08
to joid-dev
I uploaded the 'OpenIdServlet' to the files area. I'll post the diffs
for the other classes (very small) and a basic 'login.jsp'
On Jan 22, 11:45 am, "Travis Reeder" <tree...@gmail.com> wrote:
> Please publish your changes, anything that makes things easier is welcome.
>
for the other classes (very small) and a basic 'login.jsp'
On Jan 22, 11:45 am, "Travis Reeder" <tree...@gmail.com> wrote:
> Please publish your changes, anything that makes things easier is welcome.
>
Hans Granqvist
Jan 23, 2008, 9:19:12 AM1/23/08
to joid...@googlegroups.com
Ah, now I understand.
Yes, most OpenID providers asks the user to approve of
establishing relationships with each relying party.
You can check out how it's done in the VeriSign production
provider @ http://pip.verisignlabs.com (this is btw where
joid comes from)
Hans
On 1/22/08, pcurtis <pfcu...@gmail.com> wrote:
>
pcurtis
Jan 23, 2008, 12:34:18 PM1/23/08
to joid-dev
I uploaded the changes (svn diff) to the core JOID classes. As
mentioned, there is very little needing change to allow the servlet to
operate. However, I would highly recommend that some of the interfaces
be reviewed and some of their methods made public.
mentioned, there is very little needing change to allow the servlet to
operate. However, I would highly recommend that some of the interfaces
be reviewed and some of their methods made public.
Hans Granqvist
Jan 24, 2008, 11:43:18 AM1/24/08
to joid...@googlegroups.com
Can you post a diff to the list or a link to the upload?
Thanks,
Hans
pcurtis
Jan 24, 2008, 11:58:07 AM1/24/08
to joid-dev
I placed all three files in the "Files" area of this group.
On Jan 24, 11:43 am, "Hans Granqvist" <h...@granqvist.com> wrote:
> Can you post a diff to the list or a link to the upload?
>
> Thanks,
> Hans
>
On Jan 24, 11:43 am, "Hans Granqvist" <h...@granqvist.com> wrote:
> Can you post a diff to the list or a link to the upload?
>
> Thanks,
> Hans
>
Hans Granqvist
Jan 24, 2008, 12:11:53 PM1/24/08
to joid...@googlegroups.com
Haha, I'm blind, I didn't see them there before, sorry ;)
Looks pretty reasonable to me -- only thing is: can you
keep line lengths < 80 chars in the added servlet?
Anyone not +1?
Hans
Travis Reeder
Jan 24, 2008, 1:18:34 PM1/24/08
to joid...@googlegroups.com
-1
I'd like to see diffs so we can see what's changed. A quick scan
through these files shows he's using JNDI and ldap. These are fine to
put as external examples, but not as the core basic sample. Especially
since the core ones work fine as is.
Travis
Hans Granqvist
Jan 24, 2008, 1:54:36 PM1/24/08
to joid...@googlegroups.com
I have to a diff would be best. I assumed the login.jsp is in a new
example directory, but maybe that's not the case.
example directory, but maybe that's not the case.
Frans Thamura
Jan 24, 2008, 2:14:42 PM1/24/08
to joid...@googlegroups.com
will we have a fully working version like pip, so we can develop our
own OpenID Provider? is joid the answer?
own OpenID Provider? is joid the answer?
F
Travis Reeder
Jan 24, 2008, 4:03:23 PM1/24/08
to joid...@googlegroups.com
yes, joid is the answer. ;)
The samples include a really basic OpenID provider.
Travis
The samples include a really basic OpenID provider.
Travis
pcurtis
Jan 24, 2008, 6:05:58 PM1/24/08
to joid-dev
I did not place the diff for the 'login.jsp' as the 'svn diff'
produced the whole file complete. In the comments, I stated that the
login.jsp is not a tweak or fix, but essentially a complete, new file.
Removing the JNDI/LDAP example in both the servlet and the JSP would
not harm the functionality. However, in the login.jsp, another
authentication method would have to replace the JNDI code that is
there.
Ignoring the example LDAP authentication and sreg functionality, the
new code functions as both a 1.1 and 2.0 IP.
I will reformat the servlet to have line lengths less than 80
characters.
On Jan 24, 1:18 pm, "Travis Reeder" <tree...@gmail.com> wrote:
> -1
>
> I'd like to see diffs so we can see what's changed. A quick scan
> through these files shows he's using JNDI and ldap. These are fine to
> put as external examples, but not as the core basic sample. Especially
> since the core ones work fine as is.
>
> Travis
>
produced the whole file complete. In the comments, I stated that the
login.jsp is not a tweak or fix, but essentially a complete, new file.
Removing the JNDI/LDAP example in both the servlet and the JSP would
not harm the functionality. However, in the login.jsp, another
authentication method would have to replace the JNDI code that is
there.
Ignoring the example LDAP authentication and sreg functionality, the
new code functions as both a 1.1 and 2.0 IP.
I will reformat the servlet to have line lengths less than 80
characters.
On Jan 24, 1:18 pm, "Travis Reeder" <tree...@gmail.com> wrote:
> -1
>
> I'd like to see diffs so we can see what's changed. A quick scan
> through these files shows he's using JNDI and ldap. These are fine to
> put as external examples, but not as the core basic sample. Especially
> since the core ones work fine as is.
>
> Travis
>
> On Jan 24, 2008 9:11 AM, Hans Granqvist <h...@granqvist.com> wrote:
>
>
>
> > Haha, I'm blind, I didn't see them there before, sorry ;)
>
> > Looks pretty reasonable to me -- only thing is: can you
> > keep line lengths < 80 chars in the added servlet?
>
> > Anyone not +1?
>
> > Hans
>
>
>
>
> > Haha, I'm blind, I didn't see them there before, sorry ;)
>
> > Looks pretty reasonable to me -- only thing is: can you
> > keep line lengths < 80 chars in the added servlet?
>
> > Anyone not +1?
>
> > Hans
>
Frans Thamura
Jan 24, 2008, 8:53:12 PM1/24/08
to joid...@googlegroups.com
On Jan 25, 2008 4:03 AM, Travis Reeder <tre...@gmail.com> wrote:
> yes, joid is the answer. ;)
>
> The samples include a really basic OpenID provider.
>
> Travis
>
> yes, joid is the answer. ;)
>
> The samples include a really basic OpenID provider.
>
> Travis
>
i think that will be awesome if we can make joid become fullstack openid server.
let's work in.
NB: anyone have try to integrate joid with spring? or any track to the
IoC level?
F
Reply all
Reply to author
Forward
0 new messages