Making an OpenID Provider with SSL

1000 views Asked by At

so I'm currently trying to make an OpenID provider. I've tried using two Java based OpenID server packages- Atlassian's Crowd, and WSO2 Identity Server. Now, in my implementation, security is a must, which means using SSL and having HTTPS based OpenIDs. Now, for both WSO2 and Crowd a large number of sites simply do not work with the OpenIDs provided. Of 20 sites tested, 8 failed with Crowd, and 10 failed with WSO2. This high failure rate is not really acceptable. Virtually every site which has a problem claims that they cannot find an OpenID endpoint.

When I used the OpenIDs without SSL (so HTTP based OpenIDs) suddenly the sites were far more compliant, with only two of them failing. I am using a certificate from AusCERT, so the problem should not be due to self-signed certificates.

At first I thought that this was just a matter of there being a large number of RPs which simply did not accept HTTPS based OpenIDs. I tried logging into the same sites I was failing on with an HTTPS based OpenID from Verisign though, and it worked. Looking closer at both WSO2 and Crowd I discovered that neither completely conformed to OpenID 2.0 specification- in particular, neither of them provide a link in the head to an XRDS document for yadis discovery. Considering that my problem is that sites cannot discover an OpenID endpoint at the URL I give, it seems relevant except that when I do not use SSL the HTML based discovery is sufficient.

Does anyone have any insight as to where my problem really lies? The missing XRDS document seems like it should be relevant, but it could just be a red herring. Baring that, if anyone knows a good alternative to Crowd or WSO2 which is well documented, works well to spec, and is (relatively) easy to configure, it would be nice to know!

1

There are 1 answers

0
Andrew Arnott On BEST ANSWER

One thing to look at is that some Providers' SSL certificates are not signed by root authorities that are considered authoritative by some RPs. Make sure you get your certificate from one that all RPs trust.

If .NET is an option for your provider, check out the free and open source DotNetOpenAuth library, which you can host yourself and is used by some major OPs such as MySpace and netidme.com and others. It's implementation of OpenID 2.0 is complete, it supports the U.S. government ICAM OpenID 2.0 Profile, and has been used for many interoperability, security and compliance tests, and it works with both OpenID 1.1 and 2.0 RPs so you'd be very likely to have good interoperability with many/all RPs. It has a bunch of additional security features that you can just switch on (like requiring HTTPS as you said is a requirement).

(Full disclosure: I wrote DotNetOpenAuth.)