[OpenID] Questions on OpenID Specification for implementation
Martin Foster
martin at ethereal-realms.org
Wed Mar 7 23:46:44 UTC 2007
I have been trying for the last little while to implement OpenID support
on my scripts. I've managed to reach a point where I can authenticate
against Livejournal, but have yet been able to verify the signature.
In order to get that far, I have basically looked through existing
implementations written in Perl and attempted to decipher what is taking
place. That has proved to be somewhat successful as not all code is
clearly commented and some implementations bounce you around from
sub-routine to sub-routine making it hard to follow.
As a result, I have a few questions. The first of which is related to
the Associate ID. Is this a random identifier or derived from another
value such as say the mac key?
Secondly how do I confirm a signature per sey? I realize that the
elements specified in 'openid.signed' are to be returned in a format
equivalent to the following:
mode:id_res
identity:http://someuser.livejournal.com
return_to:http://somesite/some/directory/to/openid
The rest however I am a bit blurry on:
base64(HMAC( secret(assoc_handle), token_contents ))
For example, should the mac key not be used? What exactly is secret?
And all of the above makes use of HMAC_SHA1 for the signature or
something else?
Any help on this would be appreciated!
Martin Foster
Creator/Designer Ethereal Realms
martin at ethereal-realms.org
More information about the general
mailing list