The Clockwork Mansion

The Grand Hallway => The Outer Fortress => Topic started by: RobbieThe1st on October 20, 2008, 01:00:28 AM

Title: OpenID stuff
Post by: RobbieThe1st on October 20, 2008, 01:00:28 AM
I need some help testing my OpenID login script.
http://robbiethe1st.afraid.org/pf/openid.php
Try to login with it, and tell me what happens.
Note that if you have a Yahoo account or Gmail account or an account at one of many other sites, you have an OpenID - You just need to find the OpenID ID. Googling for it helps.
Yahoo members click Here (http://openid.yahoo.com)
Gmail members click Here (http://openid-provider.appspot.com)
MyOpenId (http://www.myopenid.com) (openID provider)
OpenID.org (http://openid.org) (openID provider)


For developers:
This (http://dev.aol.com/article/2007/openid_primer_for_php) page is an awesome tutorial on how to use OpenID, and how to simply implement it with no special libraries.

Old, obsolete post:
QuoteOk, so I have some webpages that need authentication(admin pages and such). I decided, instead of what I used to do, which was basically have a text-database with usernames & password-hashes, I would try to use OpenID to do the same thing. I start reading up on it... and I can't make heads or tails out of it.

What I want to do is have a login page with OpenID and Password boxes. You click submit, and it checks the openID against a local list of known/registered OpenIDs. Then, if the OpenID is a valid one, it contacts the OpenID server(Yes, I know that the information is part of the OpenID) with the password, and, I am hoping, gets a response if that OpenID/password is a valid combination - I.E. the password entered is correct.

I can do the first bit, but have no clue about how to contact the OpenID server chosen with the password and get a response, or even if what I want to do is possible.

The list of authenticated users I plan on updating manually.

Anyone know where I should start, or even know what I am talking about?

Thanks,


-RobbieThe1st
Title: Re: OpenID simply?
Post by: RobbieThe1st on October 24, 2008, 12:04:50 AM
Please delete this post

-RobbieThe1st
Title: Re: OpenID stuff
Post by: llearch n'n'daCorna on October 24, 2008, 05:32:47 AM
Quote from: RobbieThe1st on October 24, 2008, 12:04:50 AM
Please delete this post

Must we?
Title: Re: OpenID stuff
Post by: Gabi on October 29, 2008, 08:48:49 AM
A login script? It sounds like it could very easily be used for stealing people's passwords. What's its purpose?
Title: Re: OpenID stuff
Post by: superluser on October 29, 2008, 06:15:10 PM
Quote from: Gabi on October 29, 2008, 08:48:49 AMA login script? It sounds like it could very easily be used for stealing people's passwords. What's its purpose?

http://en.wikipedia.org/wiki/Openid

I haven't read it yet, but I'm sure it explains what it's for.
Title: Re: OpenID stuff
Post by: llearch n'n'daCorna on October 29, 2008, 06:34:50 PM
I believe, superluser, that Gabi was querying what Robbie's script was for... not what OpenID is for... ;-]
Title: Re: OpenID stuff
Post by: RobbieThe1st on October 30, 2008, 11:04:14 PM
The whole idea behing OpenID is that a third party site, like mine, would *not* ever have access to your password. Your password and authentication is all done by your OpenID Provider.

This is just a script I am working on that I can attach to anything needing security - I simply provide it with a list of approved OpenIDs, and it takes care of the login process.


-RobbieThe1st
Title: Re: OpenID stuff
Post by: superluser on October 31, 2008, 01:24:14 AM
Quote from: RobbieThe1st on October 30, 2008, 11:04:14 PM
The whole idea behing OpenID is that a third party site, like mine, would *not* ever have access to your password. Your password and authentication is all done by your OpenID Provider.

Does that mean I'm not crazy, then?  Because, based on the name, I was pretty sure that that's what this was, and that knowing what OpenID was would answer Gabi's question.
Title: Re: OpenID stuff
Post by: Gabi on October 31, 2008, 11:45:16 AM
Well, I've had an OpenID from myopenid.com for well over a year (before I got a new one by getting a LiveJournal account, and now that Yahoo and Gmail are using them too I have 4), so I did know about it. I was, indeed, asking what Robbie's script was for.  And I asked the question before I saw the form.

Yes, superluser, you can phish and use OpenID at the same time, it all depends on how you build the form.

QuoteYour login completed successfully.
OpenID: gabi.myopenid.com
Nickname: