[OpenID] missing the final piece, leveraing openid with foaf+ssl

Peter Williams pwilliams at rapattoni.com
Wed Sep 9 15:12:32 UTC 2009 

I updated it, to make it more easily repeatable. Failure points at the end.



Install and configure www.opera.com browser, setting a master password. Then



1.    Install, configure and enable opera unite (makes your browser into a web server while you are  signed into the opera cloud).

2.    Arm and start your new web server, mapping virtual directory "a" to the desktop area of the physical file system

3.    Give virtual folder /a "public" access, and create an index.html file. Ensure the public can see your index content at http://*.*.operaunite.com/a



4.    Use Opera browser's Tools->Preferences->Advanced->Downloads->Add to add "application/rdf+xml" for file type of "rdf"

5.    Restart web browser to restart web server.



6.    Copy xml stream (a foaf file) shown below to new file named me.rdf, stored on your desktop

7.    Edit the me.rdf file to change personal attributes values for Peter to your values, and replace the homepage URL to use your own opera unite hosting URL. (Note how directory /a correctly becomes /a/content )



8.    Use opera to navigate to http://foaf.me/simpleCreateClientCertificate.php, and cite your "http://*.*.operateunite.com/a/content/me.rdf#me" opera unite url as your webid. Fill out the cert template, put the domain name in the cn field (optionally), and remember the cert's private key password. Save the resulting .p12 file to desktop with file name that has NO #me component (if present in the suggested filename).



9.    Use opera's Tools->Preferences->Advanced->Security->Manage Certificates->Import (p12) to arm SSL client certificate support in Opera



10.   In opera, goto https://foaf.me/RDF_Representation_of_a_X.509_Client_Certificate.php . Present the client cert, and note the resulting RDF. Find the RSAPublicKey in the result, and replace my value with your value... in your desktop's me.rdf file.



11.   In Opera, goto https://foaf.me/simpleLogin.php to try out foaf+ssl



12.   Things are correct if the report has the form as follows:



FOAF+SSL Simple Login Page

The login Suceeded! Authenticated as: http://*.*.operaunite.com/a/content/me.rdf#me



Technical Explanation:

SSL Client Certificate: detected!



Client Certificate Public Key detected! (HEX):

Array

(

    [modulus] => DAB11EBD01E48B4BAB9F9088877701583B1E07CF318062ACB27B1EE951A03234071674FFB590903CEAB1F6B9319EB40342A731821E3BC12E975E4A63EA6039D6BC7889DD115E475DB2BA2A3437197E283FAE43FC68BC91098DC25C370A4B6EF53D597FBB58DDEBE6E8321B3435A476B088A9D99E75121FD805F77D79DBF75EA1

    [exponent] => 010001

)

Subject Alt Name (FOAF Profile): detected!: http://*.*.operaunite.com/a/content/me.rdf#me



FOAF Remote Public Key found in http://*.*.operaunite.com/a/content/me.rdf#me:

Array

(

    [modulus] => DAB11EBD01E48B4BAB9F9088877701583B1E07CF318062ACB27B1EE951A03234071674FFB590903CEAB1F6B9319EB40342A731821E3BC12E975E4A63EA6039D6BC7889DD115E475DB2BA2A3437197E283FAE43FC68BC91098DC25C370A4B6EF53D597FBB58DDEBE6E8321B3435A476B088A9D99E75121FD805F77D79DBF75EA1

    [exponent] => 10001

)





14.   using, opera and your  client cert, goto https://ophelia.g5n.co.uk:10443/help.cgi and confirm the page reports positively (i.e. doesn't say 'The help.cgi script wasn't prepared for your setup!' or similar). You are ready for openid trials, if so.



15.   use your opera unite server to host a vanity openid (e.g. http://homepw.myopenid.com) using the index.rdf file. Add a link tag to the head section of the html markup as follows, replacing home.homepw with your own opera united values



<HEAD>

<link href="https://ophelia.g5n.co.uk:10443/openid/provider.cgi?webid=http%3a%2f%2fhome.homepw.operaunite.com%2fa%2fcontent%2fme.rdf%23me" rel="openid.server" title="FOAF+SSL OpenID Server" />

</HEAD>



16. Amend the openid identifier in the me.rdf descriptor with your opera united path.





15. Using operate, navigate to a conforming openid RP: http://www.freexri.com/user/Login/ . Fill out the openid form field with your openid identifier (whose form is http://*.*.operaunite.com/a ). Note if a client cert is requested.



16. if you apply a spying proxy, note that the RP redirects to  Location: https://ophelia.g5n.co.uk:10443/openid/provider.cgi?webid=http%3a%2f%2fhome.homepw.operaunite.com%2fa%2fcontent%2fme.rdf%23me&openid.identity=http%3A%2F%2Fhome.homepw.operaunite.com%2Fa%2Fcontent%2F&openid.return_to=http%3A%2F%2Fwww.freexri.com%2Fuser%2FOpenIDEndpoint%3Fopenid.rpnonce%3D2009-09-09T14%253A34%253A55Z0%26openid.rpsig%3D0MLFKxSN3Izq%252B60ZBOSp3l962RATizT6f9mm%252FnS1yDw%253D&openid.trust_root=http%3A%2F%2Fwww.freexri.com%2F&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_request&openid.ext1.type.email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext1.type.name=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fname&openid.ext1.if_available=email%2Cname&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=email%2Cname



That's as far as I can get, as the OP redirects to https://ophelia.g5n.co.uk:10443/openid/error.html (after asking for the client cert). I cannot get it show its minting an assertion though.



It doesn't send back an openid assertion tofreexri.com RP, but it does have some interesting material (that I don't understand) on direct and indirect webids. Indirect seems to be about RP-side name linking, so one's long term cert (with a "persistent webid") can map onto a current webid at a different location/provider.









RDF for me.rdf follows:-



<?xml version="1.0" encoding="ISO-8859-1"?>

<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"

      xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#"

      xmlns:foaf="http://xmlns.com/foaf/0.1/"

      xmlns:rsa="http://www.w3.org/ns/auth/rsa#"

      xmlns:cert="http://www.w3.org/ns/auth/cert#"

      xmlns:admin="http://webns.net/mvcb/">

<foaf:PersonalProfileDocument rdf:about="">

    <foaf:maker rdf:resource="#me"/>

    <foaf:primaryTopic rdf:resource="#me"/>

</foaf:PersonalProfileDocument>



<foaf:Person rdf:ID="me">

    <foaf:nick>homepw</foaf:nick>

    <foaf:firstName>peter</foaf:firstName>

    <foaf:givenName>williams</foaf:givenName>

    <foaf:openid rdf:resource="http://*.*.operaunite.com/a"/>

    <foaf:homepage rdf:resource="http://*.*.operaunite.com/a/content/me.rdf#me"/>

</foaf:Person>



<rsa:RSAPublicKey>

   <cert:identity rdf:resource=#me"/>

   <rsa:public_exponent cert:decimal="65537"/>

   <rsa:modulus cert:hex="93F860637CDB801FF62920AA23D41C8FAFD3F98AD21783853B59AEC7AE5F01C834915ECDC00631079EF411781E46B450548B8B1F451431F9FFFB1AD51F6C4A991AEC3E4A9D230E9A5FE7D9DF1991AF06D23757D919AC817AF32E31DE5E99D2C1A34789C4E1F3CF632504C9D664319DEF7BDBA4552E9C0FEC899B93BE95B5744B"/>

</rsa:RSAPublicKey>



</rdf:RDF>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090909/5b3c8bca/attachment-0001.htm>

More information about the general mailing list