[Yanel-dev] OpenID patch

Evaldas Taroza etaroza at optaros.com
Wed Jan 16 10:03:50 CET 2008


Michael Wechner wrote:
> Evaldas Taroza wrote:
> 
>> Hi everyone,
>>
>> I did a simple implementation for the logging in with an OpenID. After 
>> applying the patch *joid.jar and tsik.jar* must be in the 
>> dependencies. I believe these libraries should be put into Wyona's 
>> Maven repository.
> 
> 
> are there no other public maven where these libs are being hosted (e.g. 
> ibiblio, maven itself)?

I could not find them on the web.
I use joid.jar and tsik.jar as downloaded from SVN together with all the 
sources. Official joid-1.0.2.jar as downloaded from the 
http://code.google.com/p/joid/downloads/list does not include many 
helper classes, e.g. OpenIDFilter

So we could use those two jars with version 1.0.2-SVN, or something like 
that.

> 
> If not, what versions are these libs (?), such that we can add a version 
> to the Wyona maven repo
> 
>>
>> There is several issues though:
>> 1. When someone logs in with an OpenID a respective user in Yanel is 
>> created. It is not clear which policies this user should have nor to 
>> which group it should belong...
> 
> 
> I would say none. Also I don't tunk such a user should be created by 
> default, because it would mean a big security hole, but I understand it 
> depends on the situation, e.g.
> 
> - NO: http://www.wyona.com/
> - YES: http://foaf.wyona.org/

I agree this will depend on the application, because every realm can 
have its own default policies

> 
> also how to configure the trusted openID providers.
> 
> How can we make this configurable or moderateable?

Trusted providers can simply be a list of providers with an assigned 
trust level. I would say that the domain of an OpenID can be assigned 
default policies. E.g. *.myopenid.com - editor, *.aol.com - reader. 
Managing by domain could also solve the problem of creating a user 
inside Yanel, because the profile info is on the provider.


> 
>> So now I preinsert openid-yanel users into some groups, e.g. I put 
>> http---evaldas.taroza.myopenid.com into 
>> ac-identities/groups/editor.xml and then when I log in with my 
>> http://evaldas.taroza.myopenid.com I get the editor privileges. (Note 
>> that I the Yanel user id is made out of OpenID by replacing special 
>> characters, like , * : / & by a dash)
> 
> 
> I guess this would be custom and hence we need to provide a way that 
> developers/integrators can change this.
> 

Yes, thats more like a workaround for testing, then a normal implementation.

Evaldas

-- 
+41 79 616 53 76
Optaros - www.optaros.com


More information about the Yanel-development mailing list