Fuzbolero .'s Library tagged authentication → View Popular

Filter:
All
Annotated

18 Mar 09

phpMyID: stand-alone OpenID Identity Provider

siege.org/phpMyID - Preview

openid php authentication opensource gpl security software identity-management

phpMyID is a standalone, single user, OpenID Identity Provider.

An OpenID is not an account! - simonwillison.net

(2007 post.)

simonwillison.net/...account - Preview

openid authentication security reference

The key thing here is that you should never trust an OpenID on its own. It could be a real person, or it could be a spammer, psycopath or general undesirable.

Does this mean OpenID is completely useless? Absolutely not! You just have to think of it in the same way that you think of username and password combinations: as the “key” to an account.
The trust issue is now null and void. An OpenID is just as trustworthy as a regular username and password (which could have been posted to bugmenot and shared with thousands of people).
1 more annotations...
- One last time: an OpenID is not an account. Just treat it as an alternative to a traditional username and password and you can’t go wrong.

Feature request: Integration of idselector instead? | drupal.org

Hmmm. Ideally, such functionality should be based on either opensourced solutions or go directly towards an OpenID provider you trust. Not good lacking insight into the code of security features.

drupal.org/306200 - Preview

drupal cms modules security authentication openid opensource security-management

Comfortable OpenID Login Box
The problem with ID Selector isn't open source, is it?
2 more annotations...
- It's not open source, but it allows you to include a .js file which will re-theme your openid form using it's super-easy-to use id selector.
- It almost works 100% out of the box with 1 issue I've noticed so far. The id selector .js aggressively wants to be the default form of logging in.

Another blog about OpenID - ignisvulpis.blogspot.com

See also list of other blogs about "identity" along the sidebar on that blog.

ignisvulpis.blogspot.com - Preview

openid blog authentication reference development

NotSoRelevant.com - a blog about OpenID

notsorelevant.com - Preview

blog openid authentication webservice-integration development

On OpenID Gaining Momentum: 30,000 Sites, Half a Billion Accounts « The Real McCrea

therealmccrea.com/...on-openid-gaining-momentum - Preview

openid articles authentication cms-related development

Two nice pieces yesterday on how OpenID picked up steam in 2008. David Recordon’s post at OpenID.net is simply entitled 2008:Momentum. It offers a great review of the progress made last year:

IDselector.com - Making OpenID easier

www.idselector.com - Preview

openid authentication web2.0 webdev webservice-integration

- Helps new users get and remember their OpenID.
- "One click" login experience for return users.
- Consistent login experience across OpenID enabled websites.

Facebook Authentication module | drupal.org

drupal.org/facebook_auth - Preview

drupal cms modules security authentication webservice-integration fup facebook

Should support most uses of facebook authentication.

OpenID Provider (OP) Delegation - wiki.openid.net

wiki.openid.net/OP-Delegation - Preview

openid authentication specification reference documentation

This page exists to track information relating to the OpenID Provider Delegation Extension 1.0.

OpenID Provider Delegation Extenstion - Draft 1 - wiki.openid.net

wiki.openid.net/...elegation-extension-1_0-1.html - Preview

openid authentication specification reference documentation

This document specifies an extension to OpenID Authentication 2.0
Discovery. This extension allows an end-user to delegate authority
over a particular OpenID Identifier to divergent OpenID Providers
(OP's), depending on certain characteristics of a Relying Party
and/or certain characteristics of an OpenID transaction.

This extension specifies three categories under which Identifier
authority can be delegated: Service, Class, and Domain. For example,
an Identifier might specify a different authoritative OP depending
on the Service (e.g., OpenID 2.0, OAuth, and others); the RP Domain
(*.example.com); or a pre-defined service Class (e.g., one OP for
single-factor auth, and another OP when two-factor Auth is
required).

By providing OpenID Identifiers with the ability to specify multiple
OP's based on particular characteristics of each OpenID transaction,
users will be able to utilize the best OP for any particular OpenID
transaction.

05 Mar 09

The Launchpad OpenID module allows you to use Launchpad as a single sign-on provider for your Drupal site. This requires a modified version of the OpenID module for Drupal 5.x to be installed.

OpenID Teams | drupal.org

drupal.org/openid-teams - Preview

drupal modules security authentication openid

The OpenID Teams module is an OpenID extension which allows you to assign Drupal roles to users each time they log in, based on their membership of teams you specify which are provided by their OpenID provider.

29 Jan 09

OpenId Minus Id Equals Wide Open - Sam Ruby - intertwingly.net

intertwingly.net/...enId-Minus-Id-Equals-Wide-Open - Preview

openid implementations security identity-management authentication reference insight

What concerns me is that people may use such a URI for delegation. If Jorgen, for example, were to add such a generic URI as his openid.delegate link, then anybody who has a windows live id could authenticate using his blog URI.

What concerns me more is if somebody follows these instructions for delegation. Then anybody with a Windows Live id could authenticate using his blog.
I don’t think that this means that there is a case where either Microsoft or Yahoo! would return the same OpenID URL in their response. Rather if I were to type in “http://david.openid.live-int.com/” to an OpenID Relying Party, Microsoft’s provider would ignore this and have me choose the OpenID I wish to use after logging in on Live.com. So, I don’t think this means that any two users will have the same OpenID
19 more annotations...
- In this case, you shouldn’t pay attention to the user-typed-in identifier, but rather to the identifier that the OP handed back to you at the end of the process.
- Somebody posted a comment here with the URI of johnpanzer.com. jonhpanzer.com asserts that the owner of that web site also owns some screenname at AOL. If the OP for AOL ignores my request to validate that the person behind the keyboard owns that screenname, but tells me instead that that person owns some other unrelated property, what can I assume about the original assertion that the person leaving the comment is the owner of johnpanzer.com?
- I should probably clarify a few things from that post. I wrote it assuming that my audience was familiar with the ins and outs of OpenID Auth 2.0, but obviously there are some finer points that are not obvious.
- First though, let me note that I wrongly accused Microsoft’s implementation of this behavior when in fact their implementation operates as expected. Yahoo!'s implementation is ignoring openid.identity, though.
- Now consider that I’m at an RP site and I’m about to log in. There are various things I can type into the OpenID login box...
- 2. If I type “yahoo.com”, the RP determines during discovery that this is an “OP identifier” rather than a normal OpenID identifier, so I get sent over to Yahoo! to verify the magic, hard-coded “identifier_select” identifier. Yahoo! sends back a positive assertion for http://me.yahoo.com/a/example, which becomes my identifier.
- 3. If I type in “http://me.yahoo.com/a/samruby”, the RP sends me over to Yahoo! with openid.identity set to http://me.yahoo.com/a/samruby . Yahoo! ignores this value and sends back what is effectively an unsolicited positive assertion for http://me.yahoo.com/a/example which, if the RP supports unsolicited positive assertions (it’s only a SHOULD), becomes my identifier. If it doesn’t, signin fails.
- So as you can see, the two outcomes here are either you get signed in as an identifier you rightfully own or signin fails.
- There is no case where two distinct users get the same identifier, nor any case where one user can sign in as another. If anything different happens to what I’ve described above, the RP is broken.
- Yahoo!'s ignoring of openid.identity is a user experience issue, not a security issue.
- The only security-related problem here is that a user who is logged in as an account other than the one he thinks he’s logged into at the RP may end up disclosing information to an unintended party.
- With other providers that do respect openid.identity, the expected failure conditions happen much earlier allowing them to be responded to in a more sensible way, and users will not unexpectedly get logged into accounts other than the one they specified in the RP login box.
- Unsolicited Positive Assertions aren’t really anything to worry about. All it means is that you’ve got an answer to a question you didn’t ask.
- In the sign-in use case, RPs generally “make the best of it” by signing the user in as whatever identifer was in the positive assertion, regardless of what the user originally entered.
- This is probably what your blog should be doing. Generally this outcome requires no special action on your part since the Consumer library will hand you the URL that was in the assertion, not the URL that was originally requested.
- If what you’re doing is trying to is verify that a user owns a particular URL, then an unsolicited positive assertion isn’t useful to you, so you can error in this case.
- In order to do this, you need to “remember” somehow what URL you originally asked for, which requires state on your end. You can then compare the original URL with the URL in the assertion and fail if they are not the same.
- In order to support Yahoo!'s behavior (which, in this case, is unfortunately allowed by the spec as a means for “identifier recycling") you’ll need to either remove that equality check and change all of your later code to use response.identity_url instead of session['original_id'], or adapt that check so that it trims the fragment part off response.identity_url before doing the comparison.
- as long as you only use the URL in the assertion and not the URL the user originally entered you’re safe from spoofing. If you care about the OP switching identifiers on you then you need to do a bit of extra work, but this isn’t necessary for the “find a URL to identify this user by” use-case.

06 Jan 09

YubiKey module | drupal.org

drupal.org/yubikey - Preview

drupal modules security authentication encryption qroykm fup

Users can assign one or more YubiKeys to an existing account, and log in using a YubiKey. This offers additional security to the users even over insecure connections.

02 Nov 08

What Would It Take To Have Open CA Authorities? - Slashdot.org

ask.slashdot.org/...1721234.shtml - Preview

security ssl internet gui authentication trust webservices

With the release of Firefox 3, those who have been using self-signed certificates for SSL now face a huge issue — the big, scary warning FF3 issues which is very unintuitive for non-technical users. It seems Firefox is pushing more websites in to the monopolistic arms of companies such as Verisign.

31 Oct 08

Digest access authentication - Wikipedia.org description

en.wikipedia.org/...Digest_access_authentication - Preview

drupal security securesite ssl authentication reference

RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication

tools.ietf.org/rfc2617 - Preview

drupal security securesite ssl authentication

This document also provides the specification for HTTP's
authentication framework, the original Basic authentication scheme
and a scheme based on cryptographic hashes, referred to as "Digest
Access Authentication".

Securesite module: Support Digest Authentication - with external reference links | drupal.org

(With references/links to RFC2617 and Wikipedia definition of Digest authentication.)

drupal.org/136822 - Preview

drupal security securesite authentication reference qroykm

Users' passwords are stored when they log in or change their passwords. Passwords are currently stored in the securesite table, but a more secure solution needs to be found, otherwise any user who has permission to use the PHP filter will have access to every other user's password.
Users whose passwords have not been stored can cancel the HTTP authentication dialog and log in with the HTML form.
4 more annotations...
- Considering that we'd have to store the passwords separately for this to work, I think it's a good idea to not include Digest Auth.
- This is doable. We can add a field to the administration page where the user can enter the path to a script that will handle the digest authentication.
- If you look at the notes section of the comments, the Author of the class does talk about the problems of Digest Authentication and browser issues. He recommends SSL, and this makes sense SSL + Basic Auth is more secure than Digest by it’s self.
- Secure Pages module

1 - 20 of 32 Next ›

Showing 20▼ items per page

Selected Tags

authentication

Related Tags

Top Contributors

Click in to find related links.

Groups interested in authenti...

CMS-tech

Members (5)

bookmarks (396)
idnum/

Members (16)

bookmarks (1046)
Ad4dcss/Digital Citizenship

Members (207)

bookmarks (1547)

Related Lists on Diigo

LDAP Authentication

Creating a tie to LDAP via php

Items: 4 | Visits: 18

Created by: Colby Smart
RADIUS/OS X

Items: 1 | Visits: 1

Created by: Jeff Johnson

Diigo is about better ways to research, share and collaborate on information. Learn more »

Join Diigo

Fuzbolero .'s Library tagged authentication → View Popular

phpMyID: stand-alone OpenID Identity Provider

An OpenID is not an account! - simonwillison.net

Feature request: Integration of idselector instead? | drupal.org

Another blog about OpenID - ignisvulpis.blogspot.com

NotSoRelevant.com - a blog about OpenID

On OpenID Gaining Momentum: 30,000 Sites, Half a Billion Accounts « The Real McCrea

IDselector.com - Making OpenID easier

Facebook Authentication module | drupal.org

OpenID Provider (OP) Delegation - wiki.openid.net

OpenID Provider Delegation Extenstion - Draft 1 - wiki.openid.net

OpenID URL module | drupal.org

DrupalPlugins - Help.Launchpad.net

Launchpad integration using OpenID | drupal.org

OpenID Teams | drupal.org

OpenId Minus Id Equals Wide Open - Sam Ruby - intertwingly.net

YubiKey module | drupal.org

What Would It Take To Have Open CA Authorities? - Slashdot.org

Digest access authentication - Wikipedia.org description

RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication

Securesite module: Support Digest Authentication - with external reference links | drupal.org

Selected Tags

Related Tags

Sponsored Links

Top Contributors

Groups interested in authenti...

CMS-tech

idnum/

Ad4dcss/Digital Citizenship

LDAP Authentication

RADIUS/OS X