Forum: Ruby on Rails [ANN] Ruby OpenID library and OpenIDLoginGenerator

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
2b5b1bac34d7d1bd326d51fae39464a4?d=identicon&s=25 Brian Ellin (Guest)
on 2006-01-05 02:03
(Received via mailing list)
Version 0.9.2 of the Ruby OpenID library has been released.  This latest
release contains a port of the rails LoginGenerator
(OpenIDLoginGenerator)
that uses OpenID for authentication.

Read more and download the library:
http://www.openidenabled.com/openid/libraries/ruby/
http://raa.ruby-lang.org/project/openid/

A bit about OpenID:
OpenID is a URL based identity system. An OpenID identity is simply a
URL,
and all the OpenID specification does is provide a way to securely prove
that you own that URL.  This sytem opens the door for all kinds of cool
things like single-sign-on and cross-site identity usage and
verification.
The Ruby library exposes an simple interface for verifying OpenID
identities.

Read more on OpenID:
http://www.openid.net/
http://www.openidenabled.com/
http://en.wikipedia.org/wiki/OpenID

Thanks,

Brian Ellin, Janrain Inc.
openidenabled.com
brian.myopenid.com
Df040ca3576504b24a73744179903277?d=identicon&s=25 Tobias Luetke (Guest)
on 2006-01-05 04:37
(Received via mailing list)
OpenID is an exciting system. Glad that there is a implementation for
ruby!

However i got to ask: Why did you choose to go with camelCase method
names?
That looks really alien in the ruby world i think...

On 1/4/06, Brian Ellin <brianellin@gmail.com> wrote:
> and all the OpenID specification does is provide a way to securely prove
>  Thanks,
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
>
>


--
Tobi
http://jadedpixel.com    - modern e-commerce software
http://typo.leetsoft.com - Open source weblog engine
http://blog.leetsoft.com - Technical weblog
20381b12339f505894d6cff38d4696ca?d=identicon&s=25 Steve Sloan (Guest)
on 2006-01-05 22:00
(Received via mailing list)
Brian Ellin wrote:
> Read more and download the library:
> http://www.openidenabled.com/openid/libraries/ruby/
> http://raa.ruby-lang.org/project/openid/

That's very cool, and similar to a single-sign-on schema I was
contemplating.
   This might just let me do away with user authentication all together,
or at
least move it to my own identity server.  Anybody work on a Rails
identity
server? :)

Before I take the plunge, though, I'm wondering how useful OpenID would
be for
preventing phishing attacks.  I know that the point is to identify the
end
user to a third-party website, but what provision does the protocol
offer to
the identity server for verifying that the website is who it claims to
be (or,
at least, who it claimed to be when you first logged in to it).

In other words, if I tell my identity server to always trust foobar.com,
what
assurance do I have that I'm actually being authenticated by foobar.com?
Are
there persistent shared secrets between the website and the identity
server?
And, as a website operator, what happens if those secrets are lost?

Thanks for code, keep up the good work.

-- Steve
2b5b1bac34d7d1bd326d51fae39464a4?d=identicon&s=25 Brian Ellin (Guest)
on 2006-01-06 00:18
(Received via mailing list)
Steve,

On 1/5/06, Steve Sloan <steve@finagle.org> wrote:
>
>
> That's very cool, and similar to a single-sign-on schema I was
> contemplating.
>    This might just let me do away with user authentication all together,
> or at
> least move it to my own identity server.  Anybody work on a Rails identity
> server? :)


A server library is in the works, but won't be available for some time.
I'll ping the list when it's ready.


Before I take the plunge, though, I'm wondering how useful OpenID would
be
> assurance do I have that I'm actually being authenticated by foobar.com
> ?  Are
> there persistent shared secrets between the website and the identity
> server?
> And, as a website operator, what happens if those secrets are lost?


Persistent shared secrets are stored on the site "consuming" the
identities.  If for some reason the shared secret is lost, a new shared
secret must be created.  This exchange is part of the OpenID protocol
and
covered in the "associate" step:

http://www.openid.net/specs.bml#mode-associate

The OpenID library will automatically use an existing association with a
server if it exists, otherwise it will perform the associate step and
store
the secret for future requests.

Hope this helps,
Brian Ellin
This topic is locked and can not be replied to.