delegating from my own openid?
Dan Brickley
> I have just updated the certificate on openid4.me so hopefully you should be
> able to connect to https://openid4.me
> without connection exceptions.
> Hopefully your Safari will work with the new certificate in place.
Yup, I logged into wiki.foaf-project.org using this OpenID, cheers!
I now need to figure out quite how things should work inside that
wiki, whether the ACL groups are associated with underlying accounts
or openids or both. Probably no big deal, just need to investigate.
Meanwhile - I tried to guess the OpenID markup (OpenID ideally) to
delegate my homepage to this openid4me URI.
This was my attempt:
http://danbri.org/index2.html
<head>
<title>Dan Brickley</title>
<link rel="meta" type="application/rdf+xml" title="FOAF"
href="http://danbri.org/foaf.rdf" />
<link rel="openid2.local_id"
href="http://openid4.me/foaf.me/danbri5%23me" />
<meta http-equiv="X-XRDS-Location"
content="http://openid4.me/foaf.me/danbri5%23me" />
</head>
...but I'm pretty much guessing. Ideally I could reference my old
yahoo openid, and this one, so that if either service was down it uses
the other.
Anyway the above markup partly worked, it got so far as showing the
OpenID challenge page on OpenID4.me, but then failed with
mediawiki saying 'Verification of the OpenID URL was cancelled.'
It would be great to have a recipe for this kind of delegation. I know
it involves a huge amount of redirecting etc, but the end result is
that people can identify using domain names they own, which is a
pretty nice characteristic.
cheers,
Dan
Melvin Carvalho
> On Sun, Oct 17, 2010 at 12:16 AM, Akbar Hossain <ma...@akbarhossain.com> wrote:
>
>> I have just updated the certificate on openid4.me so hopefully you should be
>> able to connect to https://openid4.me
>> without connection exceptions.
>
>> Hopefully your Safari will work with the new certificate in place.
>
> Yup, I logged into wiki.foaf-project.org using this OpenID, cheers!
>
> I now need to figure out quite how things should work inside that
> wiki, whether the ACL groups are associated with underlying accounts
> or openids or both. Probably no big deal, just need to investigate.
>
> Meanwhile - I tried to guess the OpenID markup (OpenID ideally) to
> delegate my homepage to this openid4me URI.
>
> This was my attempt:
> http://danbri.org/index2.html
>
>
> <head>
> <title>Dan Brickley</title>
> <link rel="meta" type="application/rdf+xml" title="FOAF"
> href="http://danbri.org/foaf.rdf" />
> <link rel="openid2.local_id"
> href="http://openid4.me/foaf.me/danbri5%23me" />
> <meta http-equiv="X-XRDS-Location"
> content="http://openid4.me/foaf.me/danbri5%23me" />
> </head>
Here's my delegated account : http://melvincarvalho.com/
It used to work at
But now I get:
Not a valid OpenID.
I think I reported this issue before, it definitely was working
before. Any ideas?
Akbar Hossain
Currently I have XRDS generation disabled on the openid4.me
Although having played with the server code a bit and I can get the latest openid addin on the foaf-project wiki to now work with akbarhossain.com (aside I recently got some personal address cards printed up - this is the url I put on them not my webid)
my entries are in the head are:
<link rel="meta" type="application/rdf+xml" title="FOAF" href="http://foaf.me/ah1" />
<link rel="openid.server" href="http://openid4.me/index.php" />
<link rel="openid2.provider" href="http://openid4.me/index.php"/>
<meta http-equiv="X-XRDS-Location" content="http://openid4.me/foaf.me/ah1%23me" />
Without the XRDS entry akbarhossain.com doesnt work against the foaf-project wiki (the previous version of the addin did work
without XRDS entry)
Without the openid.server and openid3.provider entries at akbarhossain.com it doesnt work against identi.ca
Sorry, I am not too familiar with XRDS setup but you maybe able to get the failover working with your own copy of an XRDS file.
Melvin - please try again the tweak to get the above to work should help.
Thanks
danbri
On Oct 18, 1:28 am, Akbar Hossain <m...@akbarhossain.com> wrote:
> Hi Dan,
>
> Currently I have XRDS generation disabled on the openid4.me
>
> Although having played with the server code a bit and I can get the latest
> openid addin on the foaf-project wiki to now work with
> url I put on them not my webid)
>
> my entries are in the head are:
>
> <link rel="meta" type="application/rdf+xml" title="FOAF" href="http://foaf.me/ah1" />
> <link rel="openid.server" href="http://openid4.me/index.php" />
> <link rel="openid2.provider" href="http://openid4.me/index.php"/>
> <meta http-equiv="X-XRDS-Location" content="http://openid4.me/foaf.me/ah1%23me" />
safari, which seems to be happily dealing with foaf+ssl stuff), ...
when things return to mediawiki after accepting the openid4.me
challenge, then it shows a failure.
I'm using http://danbri.org/index2.html ... a copy of my homepage
with
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:foaf="http://
xmlns.com/foaf/0.1/" >
<title>Dan Brickley</title>
<link rel="meta" type="application/rdf+xml" title="FOAF" href="http://
<link rel="openid.server" href="http://openid4.me/index.php" /
>
<link rel="openid2.provider" href="http://openid4.me/
index.php"/>
<meta http-equiv="X-XRDS-Location" content="http://openid4.me/
</head>
<body>
<h1>danbri.org</h1>
<p>This is the new minimalist danbri.org. - copied homepage for
testing</p>
<p>Nearby: <a href="words/">Dan's blog</a></p>
</body>
</html>
...any reason this shouldn't work?
Dan
Akbar Hossain
Your foaf link is behaving like the openid2.local_id entry for webid.
It doesnt match the certificate subject alt name via the personal
profile. So is rejected.
Otherwise anyone with a valid secured webid could login as your openid.
Ill play with this a bit more later.
It wasnt clear to me last night how the openid2.local_id you had was
coming thru to the server if at all but i will look at it again.
Thanks
--
Sent from my mobile device
Dan Brickley
> Ah. Sorry i should have noticed last night.
>
> Your foaf link is behaving like the openid2.local_id entry for webid.
> It doesnt match the certificate subject alt name via the personal
> profile. So is rejected.
ah, ok. yeah for this webid, I guess any foaf stuff on danbri.org just
complicates things, since the rest is supplied by openid4me and
foaf.me.
> Otherwise anyone with a valid secured webid could login as your openid.
>
> Ill play with this a bit more later.
> It wasnt clear to me last night how the openid2.local_id you had was
> coming thru to the server if at all but i will look at it again.
Is it possible to make error reporting more transparent, without
compromising security or confusing non-technical users?
cheers,
Dan
Akbar Hossain
If you add a openid relation in your foaf.me webid back to http://danbri.org/index2.html it should work.
Basically the pattern is very similiar to a now deprecated service Henry put together.
Essentially create a certificate and a corresponding webid on a service and point it back to your main webid.
With a link pointing you towards the created account.
Anyway - if you look at akbarhossain.com
The FOAF link header is not revelant for checking in my case its a bad foaf file.
You confirm your certificate and webid on foaf.me this points to http://danbri.org/index2.html ( in my case http://akbarhossain.com/ )
and openid4.me is happy to assert your openid as http://danbri.org/index2.html (in my case http://akbarhossain.com/ ).
Re: error reporting. My plan - partially coded is to change the front screen of openid4.me to be a single box which accepts URLs.
It should then tell if the URL is correctly formatted for the service or what is missing.
(In this case I needed to add the scenario you were trying to achieve.)
Thanks
Akbar Hossain
Sorry having thought about it a bit more. I have disabled this change for the time being.
As we have three documents in play with your potential set up we would need a few seeAlso.
To be sure someone wasnt trying to fake someone else.
Not sure but are there any precedents for having multiple FOAF rel links at http://danbri.org/index2.html ?
One to your regular webid and one to the foaf.me supplied id?
The alternative is I put together some instructions on how you can generate a certificate to be placed in your regular foaf file.
Thanks
Dan Brickley
> Hi Dan,
>
> Sorry having thought about it a bit more. I have disabled this change for
> the time being.
>
> As we have three documents in play with your potential set up we would need
> a few seeAlso.
> To be sure someone wasnt trying to fake someone else.
>
> Not sure but are there any precedents for having multiple FOAF rel links at
> http://danbri.org/index2.html ?
I've not seen it done frequently, but there's no theoretical problem
from an RDF or HTML perspective.
> One to your regular webid and one to the foaf.me supplied id?
>
> The alternative is I put together some instructions on how you can generate
> a certificate to be placed in your regular foaf file.
I think the core problem is that we're just stacking up too many Web
services here, which makes for a fundamentally rather confusing
environment!
My initial understanding was that I could make
http://danbri.org/index2.html into a webid-powered *openid* using your
service, without it being a WebID (so the FOAF link wouldn't matter).
I would do that by citing a *webid* kindly hosted for me on foaf.me,
... which would have the relevant webid link-rels, rdf/xml etc. hosted
over there. And of course because I'm me, there is already FOAF stuff
floating around on danbri.org to confuse matters. And it is natural to
want to make the page that is an openid also be a webid too, directly.
Since a chain is only as strong as its weakest link, my preference
would be for both openid and webid to be offered by each service, and
yup also to eventually be able to self-host this stuff. I'm already
running wordpress on my site so anything using PHP would be relatively
easy. In fact I used to use a self-hosted openid powered by wordpress,
before switching to external providers because it seemed to fail from
time to time.
cheers,
Dan
Akbar Hossain
This should now work for you as originally requested
I added an openid2.local_id rel link to the template openid'ed url generated on openid4.me ie. http://openid4.me/foaf.me/danbri5%23me
The minimal for the wiki (in my case) is
<link rel="openid2.local_id" href="http://openid4.me/foaf.me/ah1%23me"/>Although I still suggest the following too.
<link rel="openid.server" href="http://openid4.me/index.php" />
<link rel="openid2.provider" href="http://openid4.me/index.php"/>
Thanks
Dan Brickley
On Wed, Oct 20, 2010 at 11:27 PM, Akbar Hossain <ma...@akbarhossain.com> wrote:
> Hi Dan,
>
> This should now work for you as originally requested
Thank you very much for pursuing this!
> I added an openid2.local_id rel link to the template openid'ed url generated
> on openid4.me ie. http://openid4.me/foaf.me/danbri5%23me
>
> The minimal for the wiki (in my case) is
>
> <link rel="openid2.local_id"
> href="http://openid4.me/foaf.me/ah1%23me"/>
> <meta http-equiv="X-XRDS-Location"
> content="http://openid4.me/foaf.me/ah1%23me" />
>
> Although I still suggest the following too.
>
> <link rel="openid.server" href="http://openid4.me/index.php" />
> <link rel="openid2.provider" href="http://openid4.me/index.php"/>
Copied, edited and confirmed - I have more-or-less logged in using this now :)
I do get these messages at the top of the success screen though (in
current foaf wiki)
'Warning: array_key_exists() [function.array-key-exists]: The second
argument should be either an array or an object in
/mnt/foafdisk-sites/sites/wiki.foaf-project.org/htdocs/z/extensions/OpenID/SpecialOpenIDLogin.body.php
on line 267'
I am running latest openid addon from svn, plus latest mediawiki. So
perhaps too much bleeding edge here.
This gives me the "All users need a nickname; you can choose one from
the options below."
Your nickname (danbri5)
A name picked from your OpenID (index2.html)
An auto-generated name (danbri52)
...etc. I chose danbri5webid and logged in.
I'm not sure whether to say this worked, or didn't work. I got the
same error/warning as above, tried again, then tried a new name 'ppp'
and it let me through (though with the array_key_exists warning now
showing three times at top of page.
But at least I see 'Verification succeeded' now, so we're getting
closer. And I seem to be logged in as a new user 'ppp',
http://wiki.foaf-project.org/w/User:Ppp ... who is associated with
http://danbri.org/index2.html
Any idea what's up with these error messages? Apart from that, it's
all good now :)
cheers,
Dan
ps. BTW I have started a conversation with folk at Creative Commons
about sharing OpenID URL lists (and hence WebID now) for trust group
syndication...
Akbar Hossain
Yes I thought I noticed the warnings too. (Sorry I meant to say something).
I dont get any errors when I log in with http://akbarhossain.com but I do with http://openid.me with the same certificate ie http://foaf.me/ah1#me. I'll have to look through the code in the wiki addin when I get a chance. I cant remember if I got the error the first time i tried http://akbarhossain.com. Anyway let me read the code and play with it. You may notice me create a few more accounts on the wiki - sorry.
but as far as I can tell the login works.
I have some comments/thoughts about your F2F email on foaf-dev. Ill respond shortly.
Thanks
ps: Because of the the way the browser handles certificates to truly log out you need to shutdown the browser. So testing is a bit of a pain and getting recreatable scenarios. Catches me out all the time!
Dan Brickley
> Yes I thought I noticed the warnings too. (Sorry I meant to say something).
Glad it was repeatable at least!
> I dont get any errors when I log in with http://akbarhossain.com but I do
> with http://openid.me with the same certificate ie http://foaf.me/ah1#me.
Ok, that's a good test :)
I guess I should do same, and copy my stuff onto danbri.org too, for a
self-hosted webid.
> I'll have to look through the code in the wiki addin when I get a chance. I
> cant remember if I got the error the first time i tried
> http://akbarhossain.com. Anyway let me read the code and play with it. You
> may notice me create a few more accounts on the wiki - sorry.
That'd be great. Don't worry about spare accounts. They won't have
write permission by default, unless they are in the Bureacrats group.
But you will be able to login and get some indication that you're
"in".
> but as far as I can tell the login works.
:)
> I have some comments/thoughts about your F2F email on foaf-dev. Ill respond
> shortly.
Great, look forward to it!
> Thanks
>
> ps: Because of the the way the browser handles certificates to truly log out
> you need to shutdown the browser. So testing is a bit of a pain and getting
> recreatable scenarios. Catches me out all the time!
"Fortunately" I have been testing an in-the-browser FOAF crawler, so
yeah it guarantees a crash ;)
If you're interested btw, temporarily this is available at
http://danbri.org/2010/StrataScutter/dashboard.html but it requires a
server-side proxy, so I'll probably hide those files in a day or
two... (or maybe protect with webid someday? hmm)
cheers,
Dan
Akbar Hossain
To secure with webid should be pretty straight forward.
I think you said you are on AWS / ubuntu?
First thing to do is get a SSL cert. I think the free certs from http://www.startssl.org/ are pretty good.
From https://www.assembla.com/spaces/foaf/wiki?id=foaf&wiki_id=EC2_Hosting
To Configure SSL
sudo a2enmod ssl
sudo vi /etc/apache2/sites-available/default-ssl
sudo a2ensite default-ssl
sudo /etc/init.d/apache2 restart
# A self-signed (snakeoil) certificate can be created by
installing
# the ssl-cert package. See
#
/usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Change this as appropriate
Add the following two lines
<Directory />
SSLVerifyClient optional_no_ca
SSLVerifyDepth 1
</Directory>
And uncomment out the first 2 lines of the .htaccess
seeAlso http://library.linode.com/web-servers/apache/ssl-guides/using-ssl-ubuntu-9.10-karmic