[foaf-protocols] Opera, foaf+ssl and OpenId
Story Henry
henry.story at bblfish.net
Thu Sep 10 15:38:31 CEST 2009
A very interesting howto posted by Peter Williams to the OpenId
mailing list, on how to use Opera client side server, foaf+ssl, and
Toby Inkster's foaf+ssl OpenId server.
Toby's server needs a little bit more work I think: I have not been
able to use it to log into OpenId sites recently. It is a really good
idea though, and would be a great project requiring a little bit more
work, to make it widely useable.
Henry
Begin forwarded message:
> From: Peter Williams <pwilliams at rapattoni.com>
> Date: 9 September 2009 17:12:32 CEST
> To: Melvin Carvalho <melvincarvalho at gmail.com>
> Cc: Toby A Inkster <tai at g5n.co.uk>, "general at openid.net" <general at openid.net
> >
> Subject: Re: [OpenID] missing the final piece, leveraing openid with
> foaf+ssl
>
> I updated it, to make it more easily repeatable. Failure points at
> the end.
>
>
>
> Install and configure www.opera.com browser, setting a master
> password. Then
>
>
>
> 1. Install, configure and enable opera unite (makes your browser
> into a web server while you are signed into the opera cloud).
>
> 2. Arm and start your new web server, mapping virtual directory
> "a" to the desktop area of the physical file system
>
> 3. Give virtual folder /a "public" access, and create an
> index.html file. Ensure the public can see your index content at http://*.*.operaunite.com/a
>
>
>
> 4. Use Opera browser's Tools->Preferences->Advanced->Downloads-
> >Add to add "application/rdf+xml" for file type of "rdf"
>
> 5. Restart web browser to restart web server.
>
>
>
> 6. Copy xml stream (a foaf file) shown below to new file named
> me.rdf, stored on your desktop
>
> 7. Edit the me.rdf file to change personal attributes values for
> Peter to your values, and replace the homepage URL to use your own
> opera unite hosting URL. (Note how directory /a correctly becomes /a/
> content )
>
>
>
> 8. Use opera to navigate to http://foaf.me/simpleCreateClientCertificate.php
> , and cite your "http://*.*.operateunite.com/a/content/me.rdf#me"
> opera unite url as your webid. Fill out the cert template, put the
> domain name in the cn field (optionally), and remember the cert's
> private key password. Save the resulting .p12 file to desktop with
> file name that has NO #me component (if present in the suggested
> filename).
>
>
>
> 9. Use opera's Tools->Preferences->Advanced->Security->Manage
> Certificates->Import (p12) to arm SSL client certificate support in
> Opera
>
>
>
> 10. In opera, goto https://foaf.me/RDF_Representation_of_a_X.509_Client_Certificate.php
> . Present the client cert, and note the resulting RDF. Find the
> RSAPublicKey in the result, and replace my value with your value...
> in your desktop's me.rdf file.
>
>
>
> 11. In Opera, goto https://foaf.me/simpleLogin.php to try out foaf
> +ssl
>
>
>
> 12. Things are correct if the report has the form as follows:
>
>
>
> FOAF+SSL Simple Login Page
>
> The login Suceeded! Authenticated as: http://*.*.operaunite.com/a/content/me.rdf#me
>
>
>
> Technical Explanation:
>
> SSL Client Certificate: detected!
>
>
>
> Client Certificate Public Key detected! (HEX):
>
> Array
>
> (
>
> [modulus] =>
> DAB11EBD01E48B4BAB9F9088877701583B1E07CF318062ACB27B1EE951A03234071674FFB590903CEAB1F6B9319EB40342A731821E3BC12E975E4A63EA6039D6BC7889DD115E475DB2BA2A3437197E283FAE43FC68BC91098DC25C370A4B6EF53D597FBB58DDEBE6E8321B3435A476B088A9D99E75121FD805F77D79DBF75EA1
>
> [exponent] => 010001
>
> )
>
> Subject Alt Name (FOAF Profile): detected!: http://*.*.operaunite.com/a/content/me.rdf#me
>
>
>
> FOAF Remote Public Key found in http://*.*.operaunite.com/a/content/me.rdf#me:
>
> Array
>
> (
>
> [modulus] =>
> DAB11EBD01E48B4BAB9F9088877701583B1E07CF318062ACB27B1EE951A03234071674FFB590903CEAB1F6B9319EB40342A731821E3BC12E975E4A63EA6039D6BC7889DD115E475DB2BA2A3437197E283FAE43FC68BC91098DC25C370A4B6EF53D597FBB58DDEBE6E8321B3435A476B088A9D99E75121FD805F77D79DBF75EA1
>
> [exponent] => 10001
>
> )
>
>
>
>
>
> 14. using, opera and your client cert, goto https://ophelia.g5n.co.uk:10443/help.cgi
> and confirm the page reports positively (i.e. doesn't say 'The
> help.cgi script wasn't prepared for your setup!' or similar). You
> are ready for openid trials, if so.
>
>
>
> 15. use your opera unite server to host a vanity openid (e.g. http://homepw.myopenid.com
> ) using the index.rdf file. Add a link tag to the head section of
> the html markup as follows, replacing home.homepw with your own
> opera united values
>
>
>
> <HEAD>
>
> <link href="https://ophelia.g5n.co.uk:10443/openid/provider.cgi?webid=http%3a%2f%2fhome.homepw.operaunite.com%2fa%2fcontent%2fme.rdf%23me
> " rel="openid.server" title="FOAF+SSL OpenID Server" />
>
> </HEAD>
>
>
>
> 16. Amend the openid identifier in the me.rdf descriptor with your
> opera united path.
>
>
>
>
>
> 15. Using operate, navigate to a conforming openid RP: http://www.freexri.com/user/Login/
> . Fill out the openid form field with your openid identifier (whose
> form is http://*.*.operaunite.com/a ). Note if a client cert is
> requested.
>
>
>
> 16. if you apply a spying proxy, note that the RP redirects to
> Location: https://ophelia.g5n.co.uk:10443/openid/provider.cgi?webid=http%3a%2f%2fhome.homepw.operaunite.com%2fa%2fcontent%2fme.rdf%23me&openid.identity=http%3A%2F%2Fhome.homepw.operaunite.com%2Fa%2Fcontent%2F&openid.return_to=http%3A%2F%2Fwww.freexri.com%2Fuser%2FOpenIDEndpoint%3Fopenid.rpnonce%3D2009-09-09T14%253A34%253A55Z0%26openid.rpsig%3D0MLFKxSN3Izq%252B60ZBOSp3l962RATizT6f9mm%252FnS1yDw%253D&openid.trust_root=http%3A%2F%2Fwww.freexri.com%2F&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_request&openid.ext1.type.email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext1.type.name=http%3A%2F%2Fschema.openid.net%2Fcontact%2Fname&openid.ext1.if_available=email%2Cname&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.optional=email%2Cname
>
>
>
> That's as far as I can get, as the OP redirects to https://ophelia.g5n.co.uk:10443/openid/error.html
> (after asking for the client cert). I cannot get it show its
> minting an assertion though.
>
>
>
> It doesn't send back an openid assertion tofreexri.com RP, but it
> does have some interesting material (that I don't understand) on
> direct and indirect webids. Indirect seems to be about RP-side name
> linking, so one's long term cert (with a "persistent webid") can map
> onto a current webid at a different location/provider.
>
>
>
>
>
>
>
>
>
> RDF for me.rdf follows:-
>
>
>
> <?xml version="1.0" encoding="ISO-8859-1"?>
>
> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
>
> xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#"
>
> xmlns:foaf="http://xmlns.com/foaf/0.1/"
>
> xmlns:rsa="http://www.w3.org/ns/auth/rsa#"
>
> xmlns:cert="http://www.w3.org/ns/auth/cert#"
>
> xmlns:admin="http://webns.net/mvcb/">
>
> <foaf:PersonalProfileDocument rdf:about="">
>
> <foaf:maker rdf:resource="#me"/>
>
> <foaf:primaryTopic rdf:resource="#me"/>
>
> </foaf:PersonalProfileDocument>
>
>
>
> <foaf:Person rdf:ID="me">
>
> <foaf:nick>homepw</foaf:nick>
>
> <foaf:firstName>peter</foaf:firstName>
>
> <foaf:givenName>williams</foaf:givenName>
>
> <foaf:openid rdf:resource="http://*.*.operaunite.com/a"/>
>
> <foaf:homepage rdf:resource="http://*.*.operaunite.com/a/content/me.rdf#me
> "/>
>
> </foaf:Person>
>
>
>
> <rsa:RSAPublicKey>
>
> <cert:identity rdf:resource=#me"/>
>
> <rsa:public_exponent cert:decimal="65537"/>
>
> <rsa:modulus
> cert:hex
> =
> "93F860637CDB801FF62920AA23D41C8FAFD3F98AD21783853B59AEC7AE5F01C834915ECDC00631079EF411781E46B450548B8B1F451431F9FFFB1AD51F6C4A991AEC3E4A9D230E9A5FE7D9DF1991AF06D23757D919AC817AF32E31DE5E99D2C1A34789C4E1F3CF632504C9D664319DEF7BDBA4552E9C0FEC899B93BE95B5744B
> "/>
>
> </rsa:RSAPublicKey>
>
>
>
> </rdf:RDF>
>
>
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
More information about the foaf-protocols
mailing list