The secure CMS.
Resources
Topics
- Home
- Development (317)
- Geeklog (209)
- Plugins (111)
- Themes (2)
- News (387)
- Announcements (248)
- Geeklog.net (31)
- Security (76)
- Spam (11)
- Summer of Code (26)
User Functions
Events
What's New
Stories
No new storiesComments last 2 weeks
No new commentsTrackbacks last 2 weeks
No new trackback commentsLinks last 2 weeks
No recent new linksNEW FILES last 14 days
No new filesWelcome to Geeklog Wednesday, May 22 2013 @ 01:41 PM EDT
OpenID pre-announcement
- Monday, May 28 2007 @ 08:30 AM EDT
-
- Contributed by:
- Dirk
-
- Views:
- 7,352
The first result from our bounties hunt has now landed in CVS: OpenID support, provided by Choplair. And for those of you who are feeling adventurous and don't want to wait for the next Geeklog release, there is also a patch available for Geeklog 1.4.1.
So what is OpenID again? It provides an identity that you can use to log in to all sites that support OpenID. No need to create new accounts with every new site you want to participate in. But note that two problems that OpenID does not solve are trust and spam.
The above patch allows Geeklog to act as an OpenID consumer, i.e. allow users to log into a Geeklog site using their OpenID (much like the remote authentication introduced in Geeklog 1.4.0). It does not enable your Geeklog site to act as an OpenID server, i.e. you will still have to get your own OpenID from somewhere else. There are many places where you can get an OpenID for free (e.g. myOpenID) - or you may even have one already (e.g. if you're an AOL user), as many sites and services already provide OpenIDs for their users.
A word of warning: The OpenID support for Geeklog has not been fully tested yet. There are still some issues to be resolved (e.g. handling of duplicate email addresses). We're releasing this as a patch since it's a popular request and so that we can get more experience with the various OpenID services already out there and with the integration into Geeklog. So while we're looking for your feedback, you should be aware that this patch is not for everyone yet ...
Trackback
- Trackback URL for this entry:
- http://www.geeklog.net/trackback.php/openid-patch
Here's what others have to say about 'OpenID pre-announcement':
- Open ID is here from Matt's Mindless Musings
- Tracked on Sunday, June 03 2007 @ 11:57 PM EDT
Now, with some help from the Geeklog gang, this site supports OpenID login. [read more]
- CAPTCHA v3 - Look Ma, No PHP Sessions from gl Labs
- Tracked on Tuesday, June 12 2007 @ 09:34 AM EDT
Today I rewrote the CAPTCHA plugin so it no longer uses PHP sessions. If you don't know what I'm talking about, there is a good chance you won't care too much about this release. PHP sessions are a great way to keep information about a web ... [read more]
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Not sure I understand what you're talking about ...
OpenID is not a centralized system, so there is no "the" OpenID server that can be down. And you wouldn't use an OpenID to log into your own site - that's what the standard Geeklog accounts are for and they still work like always, of course.
OpenID is really like remote authentication (as I already mentioned in the above article). Only there's now a standardized way to create a remote login, so a website doesn't have to support half a dozen different protocols.
Also, I thought I could settle for one global account instead of having multiple admin users in my multiple sites.
Okay, but any server on the internet can be down at some point - that's the risk when you rely on someone else's resources. However, with OpenID you could run your own OpenID server - then it would be your problem when it's down.
Btw, the "one global account" would work just as well with the existing remote authentication (okay, since the Blogger module isn't working any more, you would effectively be restricted to using a LiveJournal account or roll your own authentication).
Concerning the trust and spam issues, it might be nice if future releases have some kind of flag to distinguish OpenId users from local Geeklog users. For example, I'm currently using captcha on my site for comments, contact, etc. I don't require captcha for logged-on users. This has been a pretty effective spam blocker. Combined with the other spam protection, I'm getting zero spam.
If spammers figure out they just need to set up an OpenID for their spambots to get around my captcha, I might have to start requiring captcha for logged on users. That's really not a terrible inconvenience, but it might be nice if there was an option to trust OpenID users a little less than local users.
Remote users of any kind get the service name appended to their username, e.g. Dirk@openid. Well, at least in theory - it may not be fully working everywhere just yet.
And they are all in the "Remote Users" group, which should help restrict their access in some places. And of course you can always ban remote users.
I still have a potential spam issue. With my current setup, I require anonymous users to be captcha tested to email, comment, etc. I don't require it for logged-in users, because they get captcha tested when they register. One captcha test is enough.
But openid users don't have to pass the captcha test to logon, even the first time when their userid gets created. So a spambot with an openid could bombard me. I realize I could ban or delete the userid (which I didn't realize earlier), but that still gives them an opportunity to do a lot of damage before I catch them. Prevention is better.
So, if I'm going to allow openid login, it looks like I need to require all users to pass the captcha test to do anything that might be abused by a spammer. That's a minor pain, but I can live with it. It would be a little more convenient if there was a way for openid users to get captcha tested the first time they login, or to change the captcha testing options to provide an option to require it for anonymous and remote users.
Mark
---
gl Labs - extending Geeklog through plugins - www.gllabs.org
I have an openid server set up for my own use. When I log on to a site (including my own Geeklog site) with my openid URL, my Openid server asks me I want to trust that site, and indicates what profile information the site has requested. It tells me that my Geeklog site requests Nickname, Email Address, and Full Name, all of which are required.
But apparently, even though email address is "required", if the Openid Server doesn't provide it, the Geeklog Openid implementation apparently allows the login, and creates a remote userid without the email address. When I look at my list of users, I see the "bugmenot" id with no email address.
jmatt offered in his site to reject any user that has the ability to not give out their e-mail address to their server. However, the reality is that even the #1 recommended server, Myopenid, does not require an e-mail address (they actually say it's only needed if you want to receive server notifications. How many people do you think will say "Hooray! Notifications!" and give out their addresses?). This means Geeklog has to accept the fact that this server and probably other mainstream servers do not require an e-mail address.
Therefore, rejecting makes no sense (or you'll just boycott every second server). Somehow Geeklog must face remote users without an e-mail adderss. How, I do not know. Asking them for a local address would hurt the whole purpose, so I hope there's another way out.
You should also know remote users without an e-mail address can't change their Geeklog settings. But most imporantly, Geeklog DOES let other users send them e-mail (which is sent to an empty address)!
Yep, handling of email addresses is one things that have to be addressed. Currently, the rest of Geeklog assumes that all email addresses in the system are unique and valid. So that's why you can (attempt to) send an email to OpenID users without an email address. Similar problems occur with duplicate email addresses (neither of those users can change their preferences).
I was aware of the problem with duplicate addresses but not with empty addresses (although I should have been - typekey.com doesn't send them out and you can't even change that).
Well, that's one of the reasons why we made the patch available: To find issues like this early.
I think one obvious step would be to change the Geeklog Openid consumer code to reject any openid login which does not provide an email address. This should be fairly simple to do. Some people might not like the idea of giving their email address to an openid server, and then letting the server give it out to sites that ask for it. I say too bad ... if you want to register on sites that require an email address, you have to be prepared to give it to them. Your openid server gives you control over which sites get your email address (at least mine does), so as long as you trust your openid server to do what it says, this shouldn't be an issue. If you don't want to give your email address to a site that requires it, don't register on that site.
Of course, just because an openid request includes an email address, that doesn't necessarily mean it's a good address. Somebody could get around the requirement by sticking in a dummy address. I suppose the Geeklog code could do some simple checking (is it syntactically valid, does the domain exist, does it have a responding SMTP server, etc.), but to really make sure that it's a legitimate address that belongs to the requester probably requires some sort of confirmation message. And I don't know how easy that is to add. The current system for local users has built-in confirmation, since the user has to use the password emailed to him. If he doesn't provide a good address, he doesn't get the password. Obviously that doesn't work for openid users, who don't need a password. There could be some system for emailing a confirmation code that would be required for the first login, but that might get too complicated.
I should correct one minor error in one of my previous comments. I got a little sloppy. I said that LWC had used the id bugmenot.openid.com on my site, and he said that wasn't him because he used bugmenot.myopenid.com. In fact, I just mistyped the address. There is only one bugmenot registered on my site, and it is bugmenot.myopenid.com. I haven't (yet) been hit by a spammer with an openid login.
Speaking of spammers, I am seeing a lot of log messages like:
Unable to find an OpenID server for the identity URL <spam link deleted>
I don't think the spammers are really trying to use openid, because the URLs don't look like more like normal spam links than real Openid URLs. (I couldn't post a real example because spamx rejected my post with the spam link in it), and I realize that theoretically, any valid URL could be an Openid, but I'm pretty sure these aren't).
I think they're just sticking their URLs into anything that looks like a place to submit a URL hoping it will show up somewhere.
I'm also beginning to think that we should be rejecting logins without an email address. The only thing that's holding me back is that we will effectively be blocking services that simply don't provide that information, e.g. typekey.com. Other services, like myopenid.com, handle that much better in that they let you chose between different personalities. So if you don't want to hand out your "good" email address, you could use a personality with one that's only a spamtrap.
As for OpenID spam: That has already happened. The ones you saw, though, are only stupid spambots that simply fill out every form they find. I got one of those within minutes when I first tried out the patch on a public website ...
The account is not updated on subsequent logins.
My hosting service just shut down geeklog.info due to it overloading the webserver. Turns out some spammer thought it was a good idea to post his URLs in the OpenID login - lots of them ...
We really need: