[foaf-protocols] WebID JS/Flash import and export functionality

Dave Longley dlongley at digitalbazaar.com
Wed Aug 25 23:50:59 CEST 2010

On 08/25/2010 05:07 PM, Joe Presbrey wrote:
> IFRAME-based authentication is not REST-ful. Isn't there any other/better way?

Yes, the JS/Flash is a user agent. Load the JS/Flash and then do 
XmlHttpRequests to the URLs you want to hit. See the forge project on 
github for details, it's all open source.


The demo shows how WebID can be integrated into existing websites that 
involve a typical user experience. It lets cookies take over 
authentication after the first WebID pass. One advantage of this 
approach is that it saves websites from having to cache public keys. 
This might result in less state being maintained by a server. Not to 
mention that modern websites are already accustomed to cookie 
authentication. But, of course, that doesn't mean every site has to work 
that way, it's just one way that WebID could be helped forward.

If there is some WebID-enabled API you want to interact with then you 
can write a webapp in JS that makes use of forge to communicate with 
that API. You can customize it however you'd like. No iframes necessary.

> --
> Joe Presbrey
> On Wed, Aug 25, 2010 at 4:21 PM, Dave Longley
> <dlongley at digitalbazaar.com>  wrote:
>> The JS/Flash demo now allows private keys and certificates to be imported
>> and exported. The process is a little tedious, but has been tested
>> successfully with Firefox and Safari.
>> Creating a demo JS/Flash WebID or Importing an existing WebID to a JS/Flash
>> WebID provider:
>> Go here, to a JS/Flash WebID provider:
>> https://webid.digitalbazaar.com/manage/
>> To create a JS/Flash WebID fill out the appropriate information and click
>> 'Create'. More fields are available under 'Advanced'.
>> If you have an existing WebID (e.g. one you may have created on foaf.me to
>> test WebID) that you want to import you must first get the private key and
>> certificate for that WebID. If you are using Firefox you can go to
>> Preferences->Advanced->View Certificates and click the 'Backup' button. This
>> will create a PKCS#12 file (.p12). You can use openssl to extract the
>> private key and certificate from this file like so:
>> For a PKCS#12 file 'example.p12', run:
>> openssl pkcs12 -info -in example.p12 -nodes
>> The output should include the PEM data for your RSA Private Key and your
>> Certificate. You can cut and paste each of these directly into the import
>> form at https://webid.digitalbazaar.com/manage/. I assume that most people
>> that are interested in this are familiar with PEM and openssl key conversion
>> processes.
>> Next click the 'Import' button and wait a little while for the process to
>> complete. Once it completes, your WebID should now be shown in the list of
>> available WebIDs at the top of the page. The import process, just like the
>> regular creation process, will store your Private Key and Certificate in
>> Flash local storage under the https://webid.digitalbazaar.com domain. Only
>> this domain will be able to access this information. The use of an iframe
>> allows any compliant website to request that https://webid.digitalbazaar.com
>> use TLS and a WebID to authenticate a user without allowing any other
>> website access to the private key.
>> You can test that the WebID works with the JS/Flash demo website here:
>> https://payswarm.com/webid-demo/
>> If you already have a WebID installed in your browser you will be asked to
>> select one using the browser UI even though it isn't the purpose of the
>> demo. This is unavoidable with current browser implementations. However, it
>> does provide the demo website with the opportunity to show that it also
>> supports browser-based WebIDs. The WebID will be authenticated, and on
>> successful, its related RDF data will be shown if you click a link at the
>> end of the 'A Note Concerning Browser-Generated WebIDs' section. This shows
>> that you have been identified by your browser WebID. However, this only
>> demonstrates that your browser WebID works, it is not a demonstration of the
>> JS/Flash WebID.
>> To see the JS/Flash WebID demonstration, click the 'Digital Bazaar WebID'
>> provider button. It will bring up that particular WebID provider's
>> (https://webid.digitalbazaar.com) custom interface which should allow you to
>> pick from your available WebIDs. If you created any previous WebIDs using
>> https://webid.digitalbazaar.com/manage then they will be shown here along
>> with any that you previously imported. Select a WebID by clicking its
>> associated 'Select' button. This should do the authentication and take you
>> to the home page of the fake 'socialswarm' website and present you with a
>> message and the RDF data from the associated WebID URL.
>> Exporting from JS/Flash to a Browser:
>> You can also export private keys and certificates generated by the JS/Flash
>> WebID provider. To do this, there exists a Private Key and Certificate link
>> with every WebID that is displayed at:
>> https://webid.digitalbazaar.com/manage/
>> The links will cause the associated PEM-formatted data to be displayed. This
>> information can be copied into two different files: e.g. 'key.pem' and
>> 'cert.pem'. To import these files into a browser like Firefox or Safari, you
>> must wrap them in a PCKS#12 data structure which will store them in a file
>> like: 'example.p12'.
>> To wrap your private key and certificate using openssl you run:
>> openssl pkcs12 -export -in cert.pem -inkey key.pem -out example.p12 -name
>> "<certificate-name>"
>> Where<certificate-name>  is the name to display to the user in the browser's
>> UI when selecting a WebID. Once the p12 file is created it can be imported
>> into a browser or an OS key chain using the appropriate method. For Firefox,
>> you can import the p12 file by going to Preferences->Advanced->View
>> Certificates and click 'Import'. Then select 'example.p12'.
>> When you create a p12 file you will be asked to create a password of your
>> choosing. You must enter this password when importing the p12 file to unlock
>> it.
>> This process hasn't been made 'super-easy' yet, but it demonstrates that it
>> is possible to move certificates between a WebID provider that uses JS/Flash
>> and one that doesn't.
>> --
>> Dave Longley
>> CTO
>> Digital Bazaar, Inc.
>> Phone: 540-961-4469
>> _______________________________________________
>> foaf-protocols mailing list
>> foaf-protocols at lists.foaf-project.org
>> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols

Dave Longley
Digital Bazaar, Inc.
Phone: 540-961-4469

More information about the foaf-protocols mailing list