headers
Egon Kocjan | 23 Jul 19:31

[OpenID] web server - outgoing connections?

Hello,

I am new to openid, so forgive me if this will sound obvious. Let's say 
I have a web site and I want to support openid, so users of my site will 
be able login using their openid url. The trouble I see here is that my 
web server will have to connect to random IPs on the internet as a part 
of authentication process*, am I right? Is there an authentication mode, 
where client's browser does all the outgoing communication?

* why this is a problem:
- I don't want my web server to be used in ddos attacks
- companies that are serious about security usually deny unrestricted 
outgoing connections from servers, so it's also a deployment issue

Thanks,
Egon
Permalink | Reply |
headers
Andrew Arnott | 23 Jul 21:53

Re: [OpenID] web server - outgoing connections?

RPs are required to make outgoing HTTP connections, and should use a 'paranoid http library' to mitigate the issue you speak of.

On Wed, Jul 23, 2008 at 10:33 AM, Egon Kocjan <egon <at> krul.ath.cx> wrote:
Hello,

I am new to openid, so forgive me if this will sound obvious. Let's say
I have a web site and I want to support openid, so users of my site will
be able login using their openid url. The trouble I see here is that my
web server will have to connect to random IPs on the internet as a part
of authentication process*, am I right? Is there an authentication mode,
where client's browser does all the outgoing communication?

* why this is a problem:
- I don't want my web server to be used in ddos attacks
- companies that are serious about security usually deny unrestricted
outgoing connections from servers, so it's also a deployment issue

Thanks,
Egon

_______________________________________________
general mailing list
general <at> openid.net
http://openid.net/mailman/listinfo/general

_______________________________________________
general mailing list
general <at> openid.net
http://openid.net/mailman/listinfo/general
Permalink | Reply |
headers
Peter Williams | 23 Jul 22:09

Re: [OpenID] web server - outgoing connections?

If a "backchannel" xrds source sends back a 401, seeking back channel authentication, is it a) conforming
to do so b) conforming to respond?

If the xrds source seeks to upgrade an established tcp connection to https (using http 1.1 signals), is it
conforming to ask/respond?

________________________________
From: Andrew Arnott <andrewarnott <at> gmail.com>
Sent: Wednesday, July 23, 2008 12:56 PM
To: Egon Kocjan <egon <at> krul.ath.cx>
Cc: general <at> openid.net <general <at> openid.net>
Subject: Re: [OpenID] web server - outgoing connections?

RPs are required to make outgoing HTTP connections, and should use a 'paranoid http library' to mitigate
the issue you speak of.

On Wed, Jul 23, 2008 at 10:33 AM, Egon Kocjan <egon <at> krul.ath.cx<mailto:egon <at> krul.ath.cx>> wrote:
Hello,

I am new to openid, so forgive me if this will sound obvious. Let's say
I have a web site and I want to support openid, so users of my site will
be able login using their openid url. The trouble I see here is that my
web server will have to connect to random IPs on the internet as a part
of authentication process*, am I right? Is there an authentication mode,
where client's browser does all the outgoing communication?

* why this is a problem:
- I don't want my web server to be used in ddos attacks
- companies that are serious about security usually deny unrestricted
outgoing connections from servers, so it's also a deployment issue

Thanks,
Egon

_______________________________________________
general mailing list
general <at> openid.net<mailto:general <at> openid.net>
http://openid.net/mailman/listinfo/general
Permalink | Reply |
headers
James Tindall | 25 Jul 16:03

[OpenID] AX and Pape extension support?

Can anyone poin tme to an OP that supports AX or Pape (only anti 
phishing needed)?

myopenid.com lists both AX and Pape (anti phishing) as supported type 
uris in discovered OpenID xrds but doesn't seem to actually fulfill 
either of them?

Thanks,

=James.Tindall
Permalink | Reply |
headers
Prabath Siriwardena | 28 Jul 20:57

Re: [OpenID] AX and Pape extension support?

You can try with OpenID Provider, available with WSO2 Identity Solution.

This supports both PAPE and AX.

This is free and open source, available to download from here[1].

We have hosted it at https://is.test.wso2.org for interop testing.

Thanks & regards.
- Prabath

[1]: http://wso2.org/projects/solutions/identity

On Fri, Jul 25, 2008 at 7:33 PM, James Tindall <james <at> atomless.com> wrote:
> Can anyone poin tme to an OP that supports AX or Pape (only anti
> phishing needed)?
>
> myopenid.com lists both AX and Pape (anti phishing) as supported type
> uris in discovered OpenID xrds but doesn't seem to actually fulfill
> either of them?
>
> Thanks,
>
> =James.Tindall
> _______________________________________________
> general mailing list
> general <at> openid.net
> http://openid.net/mailman/listinfo/general
>
Permalink | Reply |

Gmane