[OpenID] OpenID MediaWiki Extension v.0.8.4.1 - Identity Providers UI

Peter Williams pwilliams at rapattoni.com
Mon Apr 20 23:35:59 UTC 2009


Does it make sense for yahoo to warn users against using an rp when that realm fails to publish an rp xrds...but then release the sensitive assertion to the very same realm "without warning" when someone mitms that (unauthenticated) xrds? (absent ssl/https)?

________________________________
From: Sergey Chernyshev <sergey.chernyshev at gmail.com>
Sent: Monday, April 20, 2009 11:33 AM
To: Peter Williams <pwilliams at rapattoni.com>
Cc: Allen Tom <atom at yahoo-inc.com>; Wikimedia developers <wikitech-l at lists.wikimedia.org>; general at openid.net <general at openid.net>
Subject: Re: [OpenID] OpenID MediaWiki Extension v.0.8.4.1 - Identity Providers UI

Unfortunately, it might be quite hard for MediaWiki admins to set up SSL comparing to what they do to setup MediaWiki or it's extensions. Looks like XRDS is "easier" approach to implement.

        Sergey


On Sun, Apr 19, 2009 at 3:46 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:
This could be interesting of itself in the uci spirit of openid.

One can use yahoos willingess to rely without warning on a https realm as an authentication scheme. Yahoo implies that the https cert on an https realm is "valid" (wrt its trust list, its handling of crls and arls). A reputation service can now crawl which sites yahoo so rates, and publish a meta reliance signal (by updating its ocsp database for example). Those rp doing discovery on smaller ops might configure their ssl client engines to use that ocsp source, when qualifying the original yahoo rp (now acting as an asserting or attribute authority/agent of the dataowner (ie the user) ).

________________________________
From: Allen Tom <atom at yahoo-inc.com<mailto:atom at yahoo-inc.com>>
Sent: Sunday, April 19, 2009 12:34 PM
To: Sergey Chernyshev <sergey.chernyshev at gmail.com<mailto:sergey.chernyshev at gmail.com>>
Cc: Wikimedia developers <wikitech-l at lists.wikimedia.org<mailto:wikitech-l at lists.wikimedia.org>>; general at openid.net<mailto:general at openid.net> <general at openid.net<mailto:general at openid.net>>
Subject: Re: [OpenID] OpenID MediaWiki Extension v.0.8.4.1 - Identity Providers UI

Hi Sergey,

The Yahoo OpenID Provider will display a warning to the user if the RP's OpenID endpoints are not discoverable.

Warning: This website has not confirmed its identity with Yahoo! and might be fraudulent. Do not share any personal information with this website unless you are certain it is legitimate.

The best documentation for fixing this issue is here: http://blog.nerdbank.net/2008/06/why-yahoo-says-your-openid-site.html

The AOL Sign-in form fails if the user just clicks the Login Button without entering their AOL ScreenName. You might want to  disable the button until after the user types in their ScreenName. This will only be an issue until AOL upgrades their OpenID Provider from OpenID 1.1 to OpenID 2.0. Once they have OpenID 2.0 support, you'll be able to handle AOL logins identically to Google and Yahoo.

Good job!
Allen


Sergey Chernyshev wrote:
Hi,

I'm done with initial implementation of Identity Providers UI for OpenID MediaWiki Extension.

Extension now shows a user-friendly (although my design skills are far from perfect) form where they can pick from a list of OpenID providers (generic OpenID URL form is still default).

You can see it in action here:
http://www.mediawikiwidgets.org/Special:OpenIDLogin
http://www.techpresentations.org/Special:OpenIDLogin (without icons - I'll enable them later)

After some discussions and concerns here on the list, I implemented it in the way that provider logos don't show up by default and if you would like to show them on your site, you have to add:

    $wgOpenIDShowProviderIcons = true;

to your LocalSettings.php

Hope you like it, but I'm still open to suggestions about improving the interface so you all finally install it on your wikis ;)

Thank you,

       Sergey


--
Sergey Chernyshev
http://www.sergeychernyshev.com/



________________________________

_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net><mailto:general at openid.net<mailto:general at openid.net>>
http://openid.net/mailman/listinfo/general






More information about the general mailing list