[OpenID] Questions on OpenID Specification for implementation

Martin Foster martin at ethereal-realms.org
Wed Mar 7 23:46:44 UTC 2007


I have been trying for the last little while to implement OpenID support 
on my scripts.   I've managed to reach a point where I can authenticate 
against Livejournal, but have yet been able to verify the signature.

In order to get that far, I have basically looked through existing 
implementations written in Perl and attempted to decipher what is taking 
place.   That has proved to be somewhat successful as not all code is 
clearly commented and some implementations bounce you around from 
sub-routine to sub-routine making it hard to follow.

As a result, I have a few questions.    The first of which is related to 
the Associate ID.   Is this a random identifier or derived from another 
value such as say the mac key?

Secondly how do I confirm a signature per sey?   I realize that the 
elements specified in 'openid.signed' are to be returned in a format 
equivalent to the following:

  mode:id_res
  identity:http://someuser.livejournal.com
  return_to:http://somesite/some/directory/to/openid

The rest however I am a bit blurry on:

   base64(HMAC( secret(assoc_handle), token_contents ))

For example, should the mac key not be used?   What exactly is secret? 
And all of the above makes use of HMAC_SHA1 for the signature or 
something else?

Any help on this would be appreciated!

	Martin Foster
	Creator/Designer Ethereal Realms
	martin at ethereal-realms.org



More information about the general mailing list