Monday, October 01, 2007

Project Goods

Alright so I've been chipping away at this OpenID thing and I think I know how all this voodoo works.

I could give you the lengthy detailed version of how OpenID works but I'm hungry, so this will be brief like underwear.

A user goes to ilovelemurs.com and is asked to sign in with their OpenID, which is a URI that resembles something like example.com. example.com is any site that acts as an Identity Provider(it doesn't have to be, but I'm not getting into that). ilovelemurs.com then verifies that the user does indeed belong to/owns example.com and lets you in. I will post a purrrty diagram and a more detailed version of how this works later.

What I have to do is make Firefox act/function like example.com (to my knowledge).
I have to somehow make the browser handle the authentication request from consumer sites (sites that support OpenID) and chop out that middle man.


This will be tricky, as I have to somehow make the browser handle GET/POST request like a web server. In-fact the only way I know how to achieve this, is to actually embed a web server into my extension (I'm not even sure if thats possible for security reason).
I'm eyeing this sweet little 4k java web server I found here for the job. If I can get this thing going and implement single user OpenID support on top of it, then I'm rollin'. If for reasons I can't go this route, well then I'm not sure how I can do this? Suggestions?

3 comments:

Mike Beltzner said...

Could you use a chrome:// URI instead of a valid http address, or does the canonicalization of the OpenID token mean that you have to be sitting there listening for web-requests.

I think Sxipper acts as a standalone OP in an XPI, fwiw, so you might want to peek in there. It might just use sxipper.com, though, now that I look more closely at the website ...

asbjornu said...

What about embedding an HTTP server written in JavaScript? http://www.acme.com/software/js_httpd/ probably needs some adaptation to the Mozilla codebase, but it should work.

Though, it sounds like OpenID needs a revision to make the standard more browser-implementation-friendly. You shouldn't have to send much more than an HTTP header to the server requesting OpenID authentication, imo.

cozby said...

@quark: Thx for the heads up. Actually Firefox already has a JS HTTP server in it (who would have known!) - MozJSHTTP. For more info on it check out http://mxr.mozilla.org/mozilla/source/netwerk/test/httpserver/. I've since found out its not possible to do such, the OpenID protocol doesn't allow for it. I'll be posting more about this shortly.