Arc Forumnew | comments | leaders | submitlogin
Beginning of an OpenID consumer implemention via Python
5 points by CatDancer 6117 days ago | 5 comments
This is the beginnings of an OpenID consumer implemention for Arc using the JanRain Python OpenID library.

http://catdancer.ws/arc/openid0.tar

Currently it gets to the point of coming back to the Arc powered website and verifying that the user has successfully logged in with their OpenID. To finish the implementation there will need to be a final redirect to get off the return_to page, and to do something useful such as to set a login cookie.

From Arc I shell out to a Python program which calls the JanRain library. This is slow (like the original CGI-BIN programs were slow), but as login pages are probably a small percentage of overall page views maybe you won't care. (If you do care, you could rewrite the code to leave the Python program running in a separate process and use some kind of RPC mechanism to get from Arc to Python and back).

To prevent some kinds of spoofing attacks, on return from the OpenID server the JanRain library checks that the "return_to" query argument is actually the same as the URL that was landed on (the page that is currently being served). The easiest way to get this would probably be to add it to the req data structure in srv.arc; in the meantime I cheat and pass the "return_to" query argument as the current page URL, thus fooling the JanRain library into thinking that the security requirement has been met.

The JanRain library needs to keep two kinds of information across page requests. One is information about and secrets shared with OpenID servers; this information is not associated with any particular user's attempt to login. JanRain provides implementations for this data store (file or SQL), and I simply use the file implementation. The other kind of information is data about a particular user's login attempt, which JanRain recommends storing in a web server session.

Thus at first I thought I'd need to write or use a typical session implementation, but then I realized that the "session" data only needed to be kept for a short time across a few pages (just for during the login attempt), so the data could be stored in an Arc fnid. On the Python side the "session" is serialized into a byte string, which on the Arc side is passed around through fnid's and passed back to Python in the second step of the login process, but is otherwise treated as an opaque value.

To install with arc1, you'll need:

- A working asv (For Linux, you'll need a patch for the date function. You can use Nathan Weizenbaum's patch available in the git respository http://git.nex-3.com/?p=arc.git, or my patch at http://arclanguage.org/item?id=2652)

- Python and the JanRain Python OpenID library (http://openidenabled.com/python-openid/)

- The arc1-tmpfile.patch included in the tar file, which exposes the tmpname function.

As per their security policy Yahoo requires that OpenID consumer sites be running on a standard web port (80 or 443), so to work with Yahoo you'll either need an operating system that lets you give your Arc process the capability to serve port 80, or you'll need to do something like configuring Apache as a reverse proxy server so that you can be running Apache on the front end serving port 80 and passing requests back to your Arc server running on another port such as port 8080.



1 point by immad 6117 days ago | link

I am working on OpenID integration for arc. The OpenID code was written by rtm, using the OpenID perl library.

It works fairly well. I am just putting the Clickpass stuff into it. It will probably be released with arc in the not too distant future, though i am not sure exactly how it will be structured.

-----

1 point by CatDancer 6117 days ago | link

I started out thinking I'd be using Perl (just because I program in Perl a lot), but then it didn't look like any of the Perl OpenID libraries supported OpenID version 2 yet...

How are you integrating with Perl, just out of curiousity?

-----

1 point by immad 6117 days ago | link

Yeah, good point, I hadn't checked for OpenID 2.0 supports.

It was all rtm. The call looks like this:

  (withs (cmd (+ "./yc-openid.pl -1 < " filename)
                stream (pipe-from cmd)
                redir (readline stream)
                canon (readline stream))
           (close stream)
           (rmfile filename)
           (list redir canon))

-----

1 point by CatDancer 6117 days ago | link

Yup, that's essentially the same approach as I'm taking (at least in terms of connecting Arc to another language).

Well, if any of the code I'm writing turns out to be useful to you for your project, you're welcome to make use of it... it's all in the public domain anyway :)

-----

1 point by immad 6117 days ago | link

cool, I got the source. I will see where it helps. Got a few little things to do with mine, I am sure it will be release soonish...

-----