Any simple tutorial to start with ?

[nesiax]

Hello everybody,

I am in the first steps to test pyoidc, I haven't use any single-sign-on method before and I would like to play with it.

Maybe we can begin using the wiki provided within github and publish some howtos.

Let's start with the simple one:

1. A simple webpage that authenticate a user using a pyoid service.
2. Let the pyoidc service works with just a fixed array of [(username,password,someinfo)] with passwords in plain text where the system will just validate the user and return the username and someinfo fields to the webpage of point 1. At this point what happen if the user authentication is not successful ? It will stay asking for password or just return to the webpage of point 1 ?
3. The webpage will print if the user was successfully authenticated and will print it's username and someinfo.

What do you think ?

Next could be:

1. Changing the fixed array and use an existing source like ldap or a relational database.

Then.

1. Integrate pyoidc within wsgi in order to use a high grade web server like nginx with uwsgi.

Then.

1. Remap some fields in order to provide fake information in case of websites that require too much private information.

Does anyone have some literature to read about this topic in a learning by example philosophy ?

Thanks.

[rohe]

29 dec 2014 kl. 15:52 skrev Nestor Diaz notifications@github.com:

Hello everybody,

I am in the first steps to test pyoidc, I haven't use any single-sign-on method before and I would like to play with it.

Maybe we can begin using the wiki provided within github and publish some howtos.

Let's start with the simple one:

• A simple webpage that authenticate a user using a pyoid service.
• Let the pyoidc service works with just a fixed array of [(username,password,someinfo)] with passwords in plain text where the system will just validate the user and return the username and someinfo fields to the webpage of point 1. At this point what happen if the user authentication is not successful ? It will stay asking for password or just return to the webpage of point 1 ?
• The webpage will print if the user was successfully authenticated and will print it's username and someinfo.
What do you think ?

Sounds like a starting point!
If you are prepared to start writing something I’ll give you all the support I can.

Next could be:

• Changing the fixed array and use an existing source like ldap or a relational database.
Then.

• Integrate pyoidc within wsgi in order to use a high grade web server like nginx with uwsgi.
Then.

• Remap some fields in order to provide fake information in case of websites that require too much private information.
Does anyone have some literature to read about this topic in a learning by example philosophy ?

There are some documentation in the pyoidc package that you should read if you haven’t already.

http://pyoidc.readthedocs.org/en/latest/howto/index.html

But that document may only make sense to someone who already knows SSO :-/

— Roland

”Being able to think like a child is an important attribute of being an adult” - Eddie Izzard

[nesiax]

Hi Roland et all, I guess we can start modifying the example from the previous openid implementation which seems to do the job we are planning to do:

https://github.com/openid/python-openid/tree/master/examples

What do you think ?

[rohe]

29 dec 2014 kl. 17:28 skrev Nestor Diaz notifications@github.com:

Hi Roland et all, I guess we can start modifying the example from the previous openid implementation which seems to do the job we are planning to do:

https://github.com/openid/python-openid/tree/master/examples

What do you think ?

I’m not sure the openid example is how single-sign-on normally works so we should
decide on a use case to start with.
Then we could use the server example in oidc_example/op2 and client example in oidc_example/rp3 as a
starting point. Dependent on how close we want to be to the openid example we would have to
sightly modified the existing examples.

— Roland

”Being able to think like a child is an important attribute of being an adult” - Eddie Izzard

[rvedire]

Hi Rohe,
Thanks for the amazing work!
I have started dabbling with the tests and the code, I think I can help in putting a clear tutorial after understanding what I'm doing and what code is doing. I write here, the steps I followed meanwhile expecting what should be the next logical step.

1. I started rp3 test.

• Server runs at 8666 port on localhost
• Open the browser and point to localhost:8666
• Asks me to choose an OP from list (which is empty and drop down doesn;'t work)
  • * Question to you: What I should have been expecting in the drop down list?
• OR write the UID of any UID provider
  • * I write it as my_uid@gmail.com and click Enter. The browser shows an empty page.
  • * Is it because Webfinger failed during OPen ID connect discovery?

2. I started op2 test.
   * server runs on 8092 port
   * Question to you: How to connect rp2 and op2 tests?
3. I started rp2 test.
   * This test should show me the flow of open id connect. But when I enter my UID, browser
   shows an empty page.
   * Question to you: What should have happened here?

Thanks so much!

[rvedire]

Hi rohe,
Sorry for bothering you! Could you please answer the above questions? :-)

Thanks a lot!

[rohe]

Finally got some time to look at this, sorry about the delay !

8 apr 2015 kl. 00:56 skrev rvedire notifications@github.com:

I have started dabbling with the tests and the code, I think I can help in putting a clear tutorial after understanding what I'm doing and what code is doing. I write here, the steps I followed meanwhile expecting what should be the next logical step.

• I started rp3 test.

  • Server runs at 8666 port on localhost
  • Open the browser and point to localhost:8666
  • Asks me to choose an OP from list (which is empty and drop down doesn;'t work)
      • * Question to you: What I should have been expecting in the drop down list?

That depends on what you have in the config.py file.
In that file you have a dictionary named CLIENTS. If you have statically registered your RP with an OP this is
where you would put that information. If you want to use Google for instance this is where you would put
the client_id/client_secret they return to you when you register your RP with them.

The drop down list will contain the key values in CLIENTS except for ””.
”” is the place holder for doing dynamic client registration which some OPs support.
At this time I would say that the majority of OP installations don’t support dynamic client registration.

  • OR write the UID of any UID provider
      • * I write it as @gmail.com and click Enter. The browser shows an empty page.

You can’t do dynamic client registration with Google so this will never work.

      • * Is it because Webfinger failed during Open ID connect discovery?

That is one reason.
Google don’t support Webfinger at this time. They do support dynamic provider configuration discovery
and the url for that is https://accounts.google.com .

Another reason is that what you enter should be an account name or an URL.

Note: This is just an example and does not work today and probably not tomorrow either :-)
Hypothetical; In the google case (iff they supported WebFinger) you would have to enter something like foobar@gmail.com or
https://accounts.google.com/foobar .

• I started op2 test.

• server runs on 8092 port

• Question to you: How to connect rp2 and op2 tests?

  • I started rp2 test.

OK, rp2 test as it is in the example won’t work. Sorry, have to change that!
If you look in the configuration the BASE is given as a http URL.
It MUST be a https URL. Means you have to supply SERVER_KEY and SERVER_CERT in said file.

Once you have that it should work.

• This test should show me the flow of open id connect. But when I enter my UID, browser
  shows and empty page.

The UID should be of the form diana@localhost:8092

• Roland

"It is the consequence of humanity. We are all formed of frailty and error; let us pardon reciprocally each others’ folly - that is the first law of nature.” - Voltaire