What is OpenID?
"Imagine a web where you never have to log in again. Oh sure, we've had browsers attempting to solve the problem by remembering passwords. Keychains to collect all your passwords in one place. There's a better way now. A way without having to write down passwords and without having to change them every few months."
"OpenID uses a URL as your identity. The URL defines you. Whenever a site needs to authenticate you are who you say you are, it goes to the URL for that information. Instead of a login and password, you get one button that effectively says 'Let me in'. "
Quoted from: http://www.webmonkey.com/tutorial/OpenID_for_Dummies
How to setup your own OpenID url!
References - Sam Ruby and Simon Willison
First I'm going to show you the easy way on how to use your server's URL as
an OpenID. First get an OpenID at VeriSign https://pip.verisignlabs.com. Then, insert
these two lines in HEADER of your index document.
<link rel="openid.server" href="http://pip.verisignlabs.com/server" />
<link rel="openid.delegate" href="http://[username].pip.verisignlabs.com" />
<link rel="openid2.provider" href="http://pip.verisignlabs.com/server" />
<link rel="openid2.local_id" href="http://[username].pip.verisignlabs.com" />
<meta http-equiv="X-XRDS-Location" content="http://pip.verisignlabs.com/user/[username]/yadisxrds" />
[username] is your unique PIP username.
Now that you have an OpenID, you can use it to log in to all sorts of sites. Find
their OpenID login form and enter your new OpenID, it is now the URL of your website.
Now if you want your own OpenID server see below:
Why Use it?
- The whole point of OpenID is to allow you to manage your own identity, and phpMyID lets you do that without giving control to a third party.
- It's easy to install and easy to configure. Edit just a few lines in your config file, and you're off and running!
- Allows "Smart Mode OpenID" (more secure) transactions, even if you don't have a "big math" library available. Seriously, phpMyID comes with a pure-PHP math library which can be used if you want to demand that extra level of security.
- Ensures secure password transmission even if you don't have SSL! By using HTTP Digest authentication, phpMyID ensures your password is never sent or stored anywhere in clear or decypherable text.
Anyone can set up an OpenID provider, because it is a decentralised system.
You can use phpMyID to run your own server and it only uses a couple of files.
I had to find a work around, because my hosting server didn't show the
"expected authorization headers." So here is the way I installed phpMyID.
phpMyID can be installed on just about any PHP server. It is recommended that
you use a server that you own and control.
1) Decide how you want to install phpMyID. It requires at least two files, and
can be installed in a number of ways. The two files you will be uploading
are:
MyID.php The application library
MyID.config.php This is the file you'll be visiting in your browser
It contains your user profile, creds, and options
Two suggestions for installation are:
a) Don't bother renaming the files because there's no reason to,
installing in the root directory
b) Rename MyID.config.php to index.php and plan to
install phpMyID in a new directory - http://your-server/id/
2) We are going to go with option b) for installation of phpMyID. Rename
MyID.config.php it to index.php. Now we are going to upload these three
files (MyID.php, index.php, htaccess). That's right, just upload 'em, you
shouldn't have edited them yet. Put 'em wherever you want. I suggest
http://your-server/id/, but you can do whatever you need to make them web
accessable, as long as you can figure out what the URL should be.
Here is what your http://your-server/id/ directory should look like:
MyID.php index.php htaccess
3) Visit your config file (http://your-server/id/index.php in a web browser. You
should see a message that says "This is an OpenID server endpoint.", and
you should also see a "Server" URL, and a "Realm" string.
If you don't see all of these things, proceed to the Troubleshooting section
of this document. If you see "Missing expected authorization header.", then
follow instructions 3b)
3b) I had to do it this way because I use a hosting site and I wasn't going to put
a .htaccess file in the root directory just to get this to work without knowing
what it does. So I just put everything into a new directory. If you received this
error: "Missing expected authorization header." Then rename the file htaccess to
.htaccess and use Option 1, see below. Re-upload it to the http://your-server/id/
directory - your .htaccess file should look like this:
#
If you are running PHP in CGI mode you will need to add one set of these
# directives to your .htaccess file, or your virtualhost configuration.
#
# The easiest way to do so is to simply rename this file ".htaccess"
# Option 1, mod_rewrite (req)
RewriteEngine on
RewriteCond %{HTTP:Authorization} !^$
RewriteCond %{QUERY_STRING} openid.mode=authorize
RewriteCond %{QUERY_STRING} !auth=
RewriteCond %{REQUEST_METHOD} =GET
RewriteRule (.*) %{REQUEST_URI}?%{QUERY_STRING}&auth=%{HTTP:Authorization} [L]
# Option 2, mod_rewrite (env)
#RewriteEngine on
#RewriteRule \.php$ - [E=PHP_AUTH_DIGEST:%{HTTP:Authorization},L]
# Option 3, mod_setenvif
#SetEnvIf Authorization "(.*)" PHP_AUTH_DIGEST=$1
# directives to your .htaccess file, or your virtualhost configuration.
#
# The easiest way to do so is to simply rename this file ".htaccess"
# Option 1, mod_rewrite (req)
RewriteEngine on
RewriteCond %{HTTP:Authorization} !^$
RewriteCond %{QUERY_STRING} openid.mode=authorize
RewriteCond %{QUERY_STRING} !auth=
RewriteCond %{REQUEST_METHOD} =GET
RewriteRule (.*) %{REQUEST_URI}?%{QUERY_STRING}&auth=%{HTTP:Authorization} [L]
# Option 2, mod_rewrite (env)
#RewriteEngine on
#RewriteRule \.php$ - [E=PHP_AUTH_DIGEST:%{HTTP:Authorization},L]
# Option 3, mod_setenvif
#SetEnvIf Authorization "(.*)" PHP_AUTH_DIGEST=$1
4) If your "Realm" is anything other than the string 'phpMyID' (like say, if it
has a number after it) then make note of the value. This means that PHP is
running in "safe mode," and while I disagree with the reason *why* PHP
changes the realm, there's nothing I can do about it.
If you want to change this to some custom value (pointless to do so, but if
it makes you happy, you can) just edit the "auth_realm" key in your config
file so it reads as whatever you want. Remember, however, that you need to
double check your realm value by visiting MyID.config.php in a browser after
you make the change (and upload it).
The important part is to keep the "realm" you see in your browser handy.
5) Now you get to decide your login name and password. This is what you will use
to authenticate yourself to phpMyID. Your login name can be anything you
like.
To create your password, you will need an MD5 hashing utility. If you are a
Linux or OSX user, you can use openssl. Simply open a terminal and type:
$ echo -n 'username:realm:password' | openssl md5
For OS/2 users, download pmdigest.zip from http://hobbes.nmsu.edu/, and create
a file with these contents: username:realm:password
example: greggory:phpMyID:123456
Any comments for an easier way on OS/2 is welcome!
If you are a Windows user, and do not already have an MD5 hashing tool, one
is available at http://siege.org/projects/phpMyID/md5.exe . To use it,
download the exe, and open a cmd session. Here's an example of how it works:
C:\Documents and Settings\cniemira>cd Desktop
C:\Documents and Settings\cniemira\Desktop>md5.exe -d"username:realm:password"
In either case, make sure to substitute your username and password where
indicated. You must also substitute "realm" for your authentication realm as
determined in step 4. The resulting output, which will be a long alphanumeric
string, is your "Digest Password" that must now be entered into your config
file in the 'auth_password' field. While you're at it, enter the username you
just used as the 'auth_username' key.
Note that the default username and password are both "test," and were encoded
with the realm "phpMyID". That means you can probably test logging in right
of the bat as 'test'/'test' (assuming your server is not running in safe
mode).
6) Upload your index.php file again, replacing the one that was already there.
This is what my index.php file looks like:
<?php
// IF YOU HAVE NOT DONE SO, PLEASE READ THE README FILE FOR DIRECTIONS!!!
/**
* phpMyID - A standalone, single user, OpenID Identity Provider
*
* @package phpMyID
* @author CJ Niemira <siege (at) siege (dot) org>
* @copyright 2006-2008
* @license http://www.gnu.org/licenses/gpl.html GNU Public License
* @url http://siege.org/projects/phpMyID
* @version 2
*/
/**
* User profile
* @name $profile
* @global array $GLOBALS['profile']
*/
$GLOBALS['profile'] = array(
# Basic Config - Required
'auth_username' => 'gregory', Replace with your username
'auth_password' => '123456789123456', Replace with your MD5 hash
# Optional Config - Please see README before setting these
# 'microid' => array('mailto:user@site', 'http://delegator'),
# 'pavatar' => 'http://your.site.com/path/pavatar.img',
# Advanced Config - Please see README before setting these
# 'allow_gmp' => false,
# 'allow_test' => false,
# 'allow_suhosin' => false,
'auth_realm' => 'phpMyID',
# 'force_bigmath' => false,
'idp_url' => 'http://os2notes.com/id/', Your install directory
# 'lifetime' => 1440,
# 'paranoid' => false, # EXPERIMENTAL
# Debug Config - Please see README before setting these
# 'debug' => false,
# 'logfile' => '/tmp/phpMyID.debug.log',
);
/**
* Simple Registration Extension
* @name $sreg
* @global array $GLOBALS['sreg']
*/
$GLOBALS['sreg'] = array ( Fill in your info
'nickname' => 'Greggory',
'email' => 'Gxxxxxx@gmail.com',
'fullname' => 'Greggory Shaw',
'dob' => '19xx-MM-DD',
'gender' => 'M',
'postcode' => '395xx',
'country' => 'US',
'language' => 'en',
# 'timezone' => 'America/New_York'
);
require('MyID.php');
?>
// IF YOU HAVE NOT DONE SO, PLEASE READ THE README FILE FOR DIRECTIONS!!!
/**
* phpMyID - A standalone, single user, OpenID Identity Provider
*
* @package phpMyID
* @author CJ Niemira <siege (at) siege (dot) org>
* @copyright 2006-2008
* @license http://www.gnu.org/licenses/gpl.html GNU Public License
* @url http://siege.org/projects/phpMyID
* @version 2
*/
/**
* User profile
* @name $profile
* @global array $GLOBALS['profile']
*/
$GLOBALS['profile'] = array(
# Basic Config - Required
'auth_username' => 'gregory', Replace with your username
'auth_password' => '123456789123456', Replace with your MD5 hash
# Optional Config - Please see README before setting these
# 'microid' => array('mailto:user@site', 'http://delegator'),
# 'pavatar' => 'http://your.site.com/path/pavatar.img',
# Advanced Config - Please see README before setting these
# 'allow_gmp' => false,
# 'allow_test' => false,
# 'allow_suhosin' => false,
'auth_realm' => 'phpMyID',
# 'force_bigmath' => false,
'idp_url' => 'http://os2notes.com/id/', Your install directory
# 'lifetime' => 1440,
# 'paranoid' => false, # EXPERIMENTAL
# Debug Config - Please see README before setting these
# 'debug' => false,
# 'logfile' => '/tmp/phpMyID.debug.log',
);
/**
* Simple Registration Extension
* @name $sreg
* @global array $GLOBALS['sreg']
*/
$GLOBALS['sreg'] = array ( Fill in your info
'nickname' => 'Greggory',
'email' => 'Gxxxxxx@gmail.com',
'fullname' => 'Greggory Shaw',
'dob' => '19xx-MM-DD',
'gender' => 'M',
'postcode' => '395xx',
'country' => 'US',
'language' => 'en',
# 'timezone' => 'America/New_York'
);
require('MyID.php');
?>
Visit your config file in a browser again, or refresh the current page. The
output shouldn't change, you're just looking to be sure there are no errors.
Be certain that the 'Realm' listed exactly matches the value you used when
you created your password hash in step 5.
Click 'Login' - you should be redirected a couple of times and then presented
with a login dialogue box. Enter your username and password and click ok.
Again, you should be bounced around for a sec, then get a message which says
you're logged in as whoever your username is.
If you can't log in, if you get an error, or if doesn't work in some other
way, proceed to the Troubleshooting section. First try restrating your browser!
7) Now the "Server" URL, is your Identity Provider. This is this URL you must link
as your openid.server and openid.delegate.
The preferred way of setting this up is to determine the URL you wish to
authenticate as (e.g., "http://os2notes.com", in my case), and add the
following to the HTML <head> section for that document - index.php:
<link rel="openid.server" href="http://os2notes.com/id/">
<link rel="openid.delegate" href="http://os2notes.com/id/">
Remember, BOTH the openid.sever and openid.delegate values should be set to
the same thing.
You may now use your URL with OpenID (e.g., "http://os2notes.com" in my case).
