[Sugar-devel] New OpenID provider for Sugar Labs
Sascha Silbe
sascha-ml-reply-to-2011-2 at silbe.org
Tue Feb 8 10:37:19 EST 2011
[This is the "source" version in Wiki Creole 1.0 format. Feel free to
view the rendered version in HTML format instead.]
Dear readers,
I am proud to present the **alpha version** of our new
= OpenID provider =
You can try it out at [[https://ssl-test.sugarlabs.org/]].
== What is it good for? ==
It enables you to log in to any OpenID enabled site without having to
remember a password. Just enter your OpenID identifier (e.g.
[[https://ssl-test.sugarlabs.org/id/Sascha_Silbe]] or
[[https://sascha.silbe.org/]]) and you'll get logged in.
It also demonstrates some parts of how I envision
[[http://en.wikipedia.org/wiki/Single_sign-on|Single Sign On]] to work
on the Sugar Labs services in the future.
== What should you be aware of? ==
Neither the code nor the specific SSO scheme it's based on have been
audited by anyone (else) yet. While I took measures to protect the
OpenID provider against
[[http://en.wikipedia.org/wiki/Cross-site_request_forgery|CSRF]] attacks,
they might be insufficient or incorrectly implemented. There's also a
chance that the fully automatic login makes additional attack vectors
practical.
**Please do NOT use it to log into accounts you consider valuable,
precious or otherwise important.**
It's just a demo; even the URL will change in the future.
I've focused on the technology for now, so **the UI is still rather
rough** (patches welcome).
== What works? ==
* Creating a client certificate if the browser does not have one
installed yet (not necessary for Browse with the SSO patch applied)
* Registering
* Adding keys to an existing account (i.e. use the same OpenID identifier
from several browsers and/or computers)
* [[http://openid.net/specs/openid-authentication-1_1.html#delegating_authentication|Delegated identities]]
(i.e. you can use the URL of your web site or blog as your OpenID
identifier if you include a specific HTML fragment on the page)
== What does not work yet or is still missing? ==
* Several browsers have known quirks that require mutually exclusive
workarounds on the server side if
[[http://en.wikipedia.org/wiki/Server_Name_Indication|TLS SNI]] is
used. Until we move the OpenID provider to a separate IP address (so
that we don't need SNI), some browsers (e.g.
[[https://bugzilla.gnome.org/show_bug.cgi?id=581342#c17|Epiphany]])
will fail to connect.
* The server certificate is issued by CAcert.org which isn't included
in many browsers. A scary SSL warning will pop up for those.
* account recovery and change notifications via email are unsupported
* only a single OpenID identifier per user/account is supported (privacy
concerns)
* [[http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html|PAPE]]
support is missing
* most
[[http://openid.net/specs/openid-simple-registration-extension-1_0.html|SREG]]
properties are not supported
* [[http://openid.net/specs/openid-attribute-exchange-1_0.html|generic attributes]]
support is missing
== What can YOU do to help? ==
* Try it out!
* Do a security audit.
* Write explanatory text for the UI.
* Do a [[https://git.sugarlabs.org/identity-aggregator/identity-aggregator|code]]
review.
* Provide any other kind of constructive feedback.
Sascha
--
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/sugar-devel/attachments/20110208/a0d18711/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 494 bytes
Desc: not available
URL: <http://lists.sugarlabs.org/archive/sugar-devel/attachments/20110208/a0d18711/attachment.pgp>
More information about the Sugar-devel
mailing list