gmane.comp.web.openid.general

[OpenID] General questions for developing an OpenID portal

Scott Johnson — 2013-03-23T01:20:03

 

Hello,

 

  I've been reading up on the docs for both DotnetAuth and OpenID
lately.  I have a few questions as I'm not fully understanding the
different pieces that would be necessary to code to create my own OpenID
provider and portal.  I was hoping someone can tell me specifically what
pieces I need to code for what I need to do below.

 

  I do have very specific technical reasons why I need to develop my own
OpenID portal in my product line.  

 

My current product manages user IDs.  

 

What I need my program to do is create a page of links(portal), eg.
Google Apps, Moodle, etc... on a page that a user can click on which
will then pass them through to the site with their currently logged in
credentials (SSO).

 

I know I'll need to code an identity provider.  But will I need to code
a relaying party for the local portal to work?

 

Thanks for your insight; it's much appreciated!

 

_______________________________________________
general mailing list
general< at >lists.openid.net
http://lists.openid

Re: [OpenID] German eID Card now used with OpenID

Nat Sakimura — 2013-03-15T21:54:11

I could read this article better:
Institute for Internet Security testing registration for online services
with a new ID card

http://www.uni-protokolle.de/nachrichten/id/253528/

2013/3/16 Nat Sakimura <sakimura< at >gmail.com>

[OpenID] German eID Card now used with OpenID

Nat Sakimura — 2013-03-15T21:49:38

I just came across with this article of March 4.

I cannot read German so google translating it. I do not know the fidelity
of it, but apparently the combination of German eID and OpenID was app
approved by the State Procurement Agency for authorization certificates
(VfB) so that official website operator can authenticate the users with
their eID card their legally. Correct me if I am wrong. Perhaps a German
reader can further explain what it is. I am also interested in how they
implemented the authorization certificate / terminal certificate portion.

http://www.itespresso.de/2013/03/04/kartenleser-pruft-identitat-fur-openid-per-personalausweis/

Best,

[OpenID] Google Declares War on the Password

Nat Sakimura — 2013-01-20T04:11:25

FYI.

Google Declares War on the Password  http://t.co/nLDloxui "USB-based
Yubico log-on devices"

=nat via iPhone

[OpenID] The OpenID Foundation (OIDF) community board memberelection call for nominations

Don Thibeau — 2013-01-14T15:02:38

The OpenID Foundation (OIDF) community board member election call for nominations will open on Monday, January 7.

All members of the OpenID Foundation are eligible to nominate themselves, second the nominations of others who self-nominated, and vote for candidates. If you are receiving this email, you are an OIDF member in good standing and will receive an email on January 7 advising you that the election is open and how to participate.

Voting and nominations are conducted using the OpenID you registered when you joined the Foundation. You will need to log in with your OpenID membership credentials at https://openid.net/foundation/members/ to participate in the nomination and voting. Please send an email to help< at >oidf.org if you experience problems participating in the election.

The Foundation plays an important role in the evolution of Internet identity technologies. Those elected will help determine what role the OIDF should play in helping facilitate faster and broader adoption of open standard identit

[OpenID] Comments New Jersey's decision to allow voting by e-mail.

Don Thibeau — 2012-11-15T15:25:11

Comments New Jersey's decision to allow voting by e-mail.
http://www.crypto.com/blog/njvoting/
https://freedom-to-tinker.com/blog/felten/new-jersey-voting-in-the-aftermath-of-hurricane-sandy/ orhttp://tinyurl.com/b4eevle
https://freedom-to-tinker.com/blog/appel/oral-arguments-124-in-nj-voting-machine-lawsuit/ orhttp://tinyurl.com/axzqq5o

Don Thibeau
The OpenID Foundation



_______________________________________________
general mailing list
general< at >lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

Re: [OpenID] One developer's first encounter with account chooser (openid connect?)

Peter Williams — 2012-11-04T14:11:18

In my little demo of remoted account linking, designed merely to test “what is cheap, unfettered, and commodity, today?” I used  no openid connect protocols (or other elements of standardization) for applying the linking of multiple names, from multiple IDPs. All I did was take the multi-protocol STS concept and bridge some protocols together, with a (stored) claims transformation STS ...managing “aggregated” name/identifier claims in one of the hops.  Furthermore, I used commodity-grade components - as represented by the windows developer community.

 

The STS concept is of course a variant of the old X.500 chaining DSA model from ISO/ITU-T, with certain peering DSAs trusted to act as authentication agents issuing and re-using signed (chained) responses signed in turn by trusted peers. Now, as then, standards for such agents never really cared about bits and bytes, active or passive flows, whether ASN.1 notation or JSON concrete encodings are used; but better architects focused on the architect

Re: [OpenID] One developer's first encounter with account chooser (openid connect?)

Nat Sakimura — 2012-11-04T11:35:44

Looks like what you have done is essentially what we call in OpenID Connect
world 'aggregated claims model'.

As to the role of user centric identity (UCI) is concerned, let us look at
Kim Cameron's definition.

   -

   User-centric: Structured so as to allow users to conceptualize,
   enumerate and control their relationships with other parties, including
   the flow of information.


   -

   Identity: The fact of being what a person or a thing is, and the
   characteristics determining this.

 (source:
http://www.identityblog.com/wp-content/images/2009/06/UserCentricIdentityMetasystem.pdf)

Taken this way, UCI  is very much alive in OpenID Connect.

=nat via iPhone

Nov 3, 2012 11:48、Peter Williams <home_pw< at >msn.com> のメッセージ:

I was never originally very excited by user-centric identity or the notion
of the self-signed CA of SSL website (earlier) - coming partly from the
highly indoctrinated, yes-sire, no sire,  govt world of centralized
security policy management, big sticks, mega-money, and

Re: [OpenID] One developer's first encounter with account chooser (openid connect?)

Peter Williams — 2012-11-03T15:48:03

I was never originally very excited by user-centric identity or the notion of the self-signed CA of SSL website (earlier) - coming partly from the highly indoctrinated, yes-sire, no sire,  govt world of centralized security policy management, big sticks, mega-money, and reams of audit paperwork that nicely masks over the (typically wide) cracks  - to suit the desired governance doctrine of the day.

 

But, over the years, folks of the cryptoanarchy lilt did persuade me to recognize their cause - mostly because no harm has actually emerged. And, a certain novel trust doctrine emerged furthermore - based on low assurance crypto, and low-assurance key distribution. It scales in a manner which I think W3C founder-class thinkers once-called “webby”.

 

Anyways, I don't hear much about “user centric” identity today. Perhaps the funding has gone away, as most folks seem to be taking a trickle of silver coin hoping for the talons of gold on offer from Augustus’ treasury. So I thought I’d go ret

Re: [OpenID] One developer's first encounter with account chooser (openid connect?)

Peter Williams — 2012-10-27T07:39:34

Well I should give apologies to Google, as there IS a local login function in its account creator wordpress integration. Though ...it did take a week to find it. If you type a local account name into the box labeled "email", it does a classical local login (with local password challenge).  So of the two parties I wacked as wrong, both were actually right. So much for Peter.
 OK,  so for my penance at wronging Microsoft, I taught myself to use the firms asp.net website hosted in its azure cloud platform, that comes with OAUTH consumer  capabilities, etc. And it was good. It's consumer friendly, targeting the typical webmaster/mistress. I paid my dues by constructing an open source plugin, that allows any site to talk to an OAUTH v1.0a provider plugin in any suitably-enhanced wordpress instance deployment. This also helps me with work on Mozilla's persona, since they are thinking about oauth (which I now finally dominate, at least up to OAUTH v1.0a). For my penance with Google, Ill now add the GIT (aka account

[OpenID] assurance concepts for OAUTH

Peter Williams — 2012-10-24T17:48:27

I'm taking a good long hard look at OAUTH, these days, mostly because Microsoft have integrated it (much like signed DUA and signed DSA chaining operations from CCITT's X.500 1988 work) into both their Azure Directory tenant services and their data service API frameworks, more generally. This tells me there is a certain maturity - a signal that I'd be prudent to note. One thing I note as I read is an omnipresent assumption - that is really just not warranted. Much of the terminology and the design features implied by wording would have it that oauth tokens are directly consumed by resources, with application-layer access control guards. From everything Ive learned over the last 5 years of token-passing schemes deployment, it is rare - outside webby/scripting php/asp.net type software - that legacy resource systems for lines-of business type software directly consume the tokens. Rather, they have their proprietary/legacy guards and expect to continue to use them - now supported by a translation unit converts

Re: [OpenID] EU OpenID Summit 21th November The Hague Netherlands-45 free seats available

Peter Williams — 2012-10-22T02:43:22

Looking at the tight definitions of the target markets (that included none of the user centric markets envisioned by the designers of openid1 and openid2) perhaps says who is not targeted.

If that's me and my type of user, then perhaps we stop forcing the issue. (We are a large decentralized group, tied by law to de-federated structures (us states, their counties etc)).

Is Openid perhaps  just the wrong technology (these days) god these types of groups?

Sent from my iPhone

On Oct 21, 2012, at 4:26 PM, "John Bradley" <ve7jtb< at >ve7jtb.com> wrote:

_______________________________________________
general mailing list
general< at >lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________
general mailing list
general< at >lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

Re: [OpenID] EU OpenID Summit 21th November The Hague Netherlands -45 free seats available

John Bradley — 2012-10-21T23:18:04

I think this is Wednesday Nov 21 and not Thursday Nov 22.  

John B.
On 2012-10-21, at 3:08 PM, nieuws groep <nieuwsgroep< at >evidos.nl> wrote:


_______________________________________________
general mailing list
general< at >lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

[OpenID] EU OpenID Summit 21th November The Hague Netherlands - 45free seats available

nieuws groep — 2012-10-21T22:08:46

All,

The OpenID Foundation is hosting an EU OpenID workshop as a joint event
with the Identity.Next Conference on November 21th.  It will be held in The
Hague, The Netherlands. The OpenID Foundation runs a series of workshops
like this one for business decision makers, as well as running other OpenID
summits that are more technical.

The event is for the owners of consumer websites, citizen oriented
government sites, and enterprise SaaS services to discuss how to improve
login systems by using techniques such as OAuth <http://oauth.net/2/>, OpenID
<http://openid.net/>and an Account Chooser <http://accountchooser.com/>.

Please join us on Thursday, November 21th, 2012 from 11:00 until 15:00 GMT.

We have 45 free seats available to visit the OpenID summit on the second
day. The Identity.Next event is a two day event, people are also able to
attend to first day with only a one-day entrance fee. Check the
identity.next website for more information about the conference (
www.identitynext.com).

REGISTER NOW! Reg

Re: [OpenID] One developer's first encounter with account chooser (openid connect?)

Nat Sakimura — 2012-10-18T22:42:24

You do not need a membership of OIDF to join a work group.
For a work group to take up any technical content, the author of the
content has to sign the IPR Contribution Agreement, and that is the only
requirement. I am sure you understand we need the contribution agreement,
since otherwise it may cause IPR pollution and cause a lot of problems down
the road. As such, the WG cannot incorporate any comments made in General
list, as it is not IPR protected.

Wrt the implementations, the AC WG is working on the spec that people can
implement independent of Google toolkits.
So, eventually, you will start to see other implementations from other
people than Google.

Nat

On Fri, Oct 19, 2012 at 5:06 AM, Peter Williams <home_pw< at >msn.com> wrote:

Re: [OpenID] One developer's first encounter with account chooser (openid connect?)

Peter Williams — 2012-10-18T20:06:21

Thankyou but no. General comment is my limit, given the wider implications of membership, etc. General comment is what this list is for.

 

But, to be fair to Google, I did conclude my original idea (simply making wordpress talk to an IDP, leveraging the Account Chooser intermediation, with auto-account creation). I wrote up my own little efforts at a trial at http://wp.me/p1fcz8-30a. It says... the technology works. Then some of the implications of “working” integration are explored, without being academic.

 

If I was more sociable, perhaps Id have been on some Account Chooser or wordpress plugin list that could have given direction, earlier. At the same time, by operating blind, its been useful to view the integration very skeptically. Questioning the policy implications of the intermediation service came about from the nature of the technology integration itself, being obvious. I’m left with a stronger question to now ask: would I want it (now it works)?

 

Its been a little unfair t

Re: [OpenID] One developer's first encounter with account chooser (openid connect?)

Peter Williams — 2012-10-18T16:57:25


Let me withdraw the Microsoft comment. The 2012 visual studio release tools showcasing OAUTH/openid interaction into webapps work just fine, *out of the box*. Certain patterns of using the tool’s “designers” for so-called user controls cause an automatic code generator to produce unlinkable code in oauth-related modules, as an HTML control is reflected in a so-called code-behind (designer) file. But that's my issue, not theirs. I have to master the tool, including its weirdisms. When machines start to think, they tend to confound me..

 

Out of the box and as I established all during the last year with the various beta releases of the tool chain, the visual studio templates for federated logon in the Microsoft  “showcase” webapp designs do a superb job of federated login - using opened/oauth (in addition to other protocols). This is what I would expect of Microsoft (after the passport debacle, and the wholesale rethinking of how to deal with the cryptopolitics on the SSO topic); and they d

Re: [OpenID] a developers first encounter with account chooser (openid connect?)

Nat Sakimura — 2012-10-18T01:47:03

I would not speak for Account Chooser. I will let somebody like Eric to do
so.

As far as Connect is concerned, there is a very strong desire to allow
local IdPs including the IdPs that lives on user devices.

Nat


On Thu, Oct 18, 2012 at 3:59 AM, Peter Williams <home_pw< at >msn.com> wrote:

Re: [OpenID] One developer's first encounter with account chooser (openid connect?)

Nat Sakimura — 2012-10-18T01:44:24

Perhaps you can join Account Chooser WG and give your formal feedback so
that the WG can incorporate them?

Nat

On Thu, Oct 18, 2012 at 4:03 AM, Peter Williams <home_pw< at >msn.com> wrote:

[OpenID] a developers first encounter with account chooser (openidconnect?)

Peter Williams — 2012-10-17T18:59:23

In a word: frustrating. http://wp.me/p1fcz8-2YW. It was frustrating on multiple levels, some of them political, some about clearly over zealous monitoring of RP matters, and some due to and obvious lack of willingness to listen to mature RP communities and their requirements for adoption. But, whats new. Obviously the code is fixable, but one worries about the very "idea" - there seems a desperation in the desire to remove local IDPs - including those granting access to privileged administrator configuring (broken) federated logon! To be fair, the default Microsoft ASP.NET web app project built by the released version of visual studio 20102 doesn't work, either - when taking up the federated (OAUTH/openid) login option and its display of a set of IDPs, configured locally. It doesn't even compile, link and load! Thus, I have not even so far as work with its attempt to showcase Openid Connect, or see if things interwork yet with Google's implementation, etc.          ______________________________________

[OpenID] One developer's first encounter with account chooser (openid connect?)

Peter Williams — 2012-10-17T19:03:55

In a word: frustrating. http://wp.me/p1fcz8-2YW. It was frustrating on multiple levels.
 
Obviously the code is fixable, but one worries about the very "idea" - there seems a desperation in the desire to remove local IDPs - including those granting access to privileged administrator configuring (broken) federated logon!
 
To be fair, the default Microsoft ASP.NET web app project built by the released version of visual studio 20102 doesn't work, either - when taking up the federated (OAUTH/openid) login option and its display of a set of IDPs, configured locally. It doesn't even compile, link and load! Thus, I have not even so far as work with its attempt to showcase Openid Connect, or see if things interwork yet with Google's implementation, etc.
 

Sent from Windows Mail_______________________________________________
general mailing list
general< at >lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general