Version 0.9.2 of the Ruby OpenID library has been released. This latest release contains a port of the rails LoginGenerator (OpenIDLoginGenerator) that uses OpenID for authentication. Read more and download the library: http://www.openidenabled.com/openid/libraries/ruby/ http://raa.ruby-lang.org/project/openid/ A bit about OpenID: OpenID is a URL based identity system. An OpenID identity is simply a URL, and all the OpenID specification does is provide a way to securely prove that you own that URL. This sytem opens the door for all kinds of cool things like single-sign-on and cross-site identity usage and verification. The Ruby library exposes an simple interface for verifying OpenID identities. Read more on OpenID: http://www.openid.net/ http://www.openidenabled.com/ http://en.wikipedia.org/wiki/OpenID Thanks, Brian E., Janrain Inc. openidenabled.com brian.myopenid.com
on 2006-01-05 03:03
on 2006-01-05 05:37
OpenID is an exciting system. Glad that there is a implementation for ruby! However i got to ask: Why did you choose to go with camelCase method names? That looks really alien in the ruby world i think... On 1/4/06, Brian E. <firstname.lastname@example.org> wrote: > and all the OpenID specification does is provide a way to securely prove > Thanks, > email@example.com > http://lists.rubyonrails.org/mailman/listinfo/rails > > > -- Tobi http://jadedpixel.com - modern e-commerce software http://typo.leetsoft.com - Open source weblog engine http://blog.leetsoft.com - Technical weblog
on 2006-01-05 23:00
Brian E. wrote: > Read more and download the library: > http://www.openidenabled.com/openid/libraries/ruby/ > http://raa.ruby-lang.org/project/openid/ That's very cool, and similar to a single-sign-on schema I was contemplating. This might just let me do away with user authentication all together, or at least move it to my own identity server. Anybody work on a Rails identity server? :) Before I take the plunge, though, I'm wondering how useful OpenID would be for preventing phishing attacks. I know that the point is to identify the end user to a third-party website, but what provision does the protocol offer to the identity server for verifying that the website is who it claims to be (or, at least, who it claimed to be when you first logged in to it). In other words, if I tell my identity server to always trust foobar.com, what assurance do I have that I'm actually being authenticated by foobar.com? Are there persistent shared secrets between the website and the identity server? And, as a website operator, what happens if those secrets are lost? Thanks for code, keep up the good work. -- Steve
on 2006-01-06 01:18
Steve, On 1/5/06, Steve S. <firstname.lastname@example.org> wrote: > > > That's very cool, and similar to a single-sign-on schema I was > contemplating. > This might just let me do away with user authentication all together, > or at > least move it to my own identity server. Anybody work on a Rails identity > server? :) A server library is in the works, but won't be available for some time. I'll ping the list when it's ready. Before I take the plunge, though, I'm wondering how useful OpenID would be > assurance do I have that I'm actually being authenticated by foobar.com > ? Are > there persistent shared secrets between the website and the identity > server? > And, as a website operator, what happens if those secrets are lost? Persistent shared secrets are stored on the site "consuming" the identities. If for some reason the shared secret is lost, a new shared secret must be created. This exchange is part of the OpenID protocol and covered in the "associate" step: http://www.openid.net/specs.bml#mode-associate The OpenID library will automatically use an existing association with a server if it exists, otherwise it will perform the associate step and store the secret for future requests. Hope this helps, Brian E.