An Illusory Intertwingling of Reason and Response

Tech: Yes, I’m a geek. I admit it. At least I’m not a nerd!

Tafel :: tech

Friday, February 08, 2008

Call me ishmael.infiniteplane.com

At long last, I've decided it's time to start serving OpenID. There are enough sites permitting me to log in, comment, and otherwise use and contribute with the protocol that it'd be rather foolish of me not to have an OpenID URI. It's always seemed silly to me, though, to use OpenID — a protocol designed for decentralization — in a centralized manner, procuring an OpenID from some Supreme Arbiter of Identity, when the possibility exists for me to keep my login credentials under my own lock and key.

Enter ishmael.infiniteplane.com (what more fitting name for a server used to establish identity than "Ishmael"?) and phpMyID. phpMyID, despite its rather unfortunate cliché of a "phpMyXYZ" name, is one of the nicest little single-user OpenID scripts available. Since serving one's own OpenID generally involves either rolling one's own with a ponderous array of libraries or installing a large-scale multi-user, database-backed authentication system, I didn't begrudge it the couple of hours spent in the code tweaking.

By default, phpMyID has a couple of — while not actually flaws — less-than-ideal design decisions.

First, it uses (and recommends against changing) a hardcoded HTTP authentication realm. While in a vacuum, that's not too major a difficulty, on a web with a major OpenID component, compromising OpenID servers will become a more lucrative proposition. In the same way one ought to remove easily-queried identifiers such as META Generator tags from CMS software to reduce the likelihood of unpatched vulnerabilities being exploited due to automated identification, a realm of "phpMyID" sent in every authentication header seems to invite malicious vulnerability profiling. Luckily, while the README is ambivalent about the value of such a change, it permits it easily through a configuration variable.

As well, I've made numerous other little changes, such as:

  1. defining an optional CSS file (no reason it has to look ugly)
  2. making it work properly when called as different hostnames, so that a single installation can, via a switch on HTTP_HOST, serve multiple users each with their own identity provider (IdP) hostname.
  3. enabling selection between use of META refreshes and HTTP Refresh headers
  4. optional suppression of filename requirements in IdP URIs
  5. suppression of unnecessary information at the "front gate" for security