Greetings.
I'm happy to announce that we have moved our new OpenID identity provider (fas-openid) into production and it's ready for general use.
OpenID allows you to use an existing identity (like a Fedora Project account) on sites or applications that support OpenID authentication.
Fedora Project account holders can use this openid identity provider by specifying:
username.id.fedoraproject.org
on any OpenID enabled relying party application. (Where 'username' is your Fedora Account system login).
More information is available at:
https://fedoraproject.org/wiki/OpenID
Code for this provider (under GPLv2+) is available at:
https://github.com/fedora-infra/fas-openid
Please report any issues or problems to the Fedora infrastructure trac: https://fedorahosted.org/fedora-infrastructure/newticket
Many thanks to Patrick Uiterwijk for all the hard work on expanding and re implementing this service.
kevin
_______________________________________________ devel-announce mailing list devel-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel-announce
can I use my existing openid? kurt.seifried.org.
-Kurt
On Tue, Mar 5, 2013 at 5:19 PM, Kevin Fenzi kevin@scrye.com wrote:
Greetings.
I'm happy to announce that we have moved our new OpenID identity provider (fas-openid) into production and it's ready for general use.
OpenID allows you to use an existing identity (like a Fedora Project account) on sites or applications that support OpenID authentication.
Fedora Project account holders can use this openid identity provider by specifying:
username.id.fedoraproject.org
on any OpenID enabled relying party application. (Where 'username' is your Fedora Account system login).
More information is available at:
https://fedoraproject.org/wiki/OpenID
Code for this provider (under GPLv2+) is available at:
https://github.com/fedora-infra/fas-openid
Please report any issues or problems to the Fedora infrastructure trac: https://fedorahosted.org/fedora-infrastructure/newticket
Many thanks to Patrick Uiterwijk for all the hard work on expanding and re implementing this service.
kevin
devel-announce mailing list devel-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel-announce -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
在 2013-3-6 PM2:40,"Kurt Seifried" kurt@seifried.org写道:
can I use my existing openid? kurt.seifried.org.
Maybe only yourname.id.fp.o?
On Tue, 2013-03-05 at 23:39 -0700, Kurt Seifried wrote:
can I use my existing openid? kurt.seifried.org.
If you run your own openid server then of course you can use your openid to login on website that requires *an* openid (ask.fp.o, stackoverflow, pypi...). However, in the futur, a number of the Fedora-specific web-application will require you to login using your Fedora specific openid, there another openid that the one provided by fas-openid simply won't work.
Pierre
On Wed, 06 Mar 2013 08:32:27 +0100 Pierre-Yves Chibon pingou@pingoured.fr wrote:
On Tue, 2013-03-05 at 23:39 -0700, Kurt Seifried wrote:
can I use my existing openid? kurt.seifried.org.
If you run your own openid server then of course you can use your openid to login on website that requires *an* openid (ask.fp.o, stackoverflow, pypi...). However, in the futur, a number of the Fedora-specific web-application will require you to login using your Fedora specific openid, there another openid that the one provided by fas-openid simply won't work.
To expand on that, openid allows for 'extensions' and we will likely use some with our applications. In particular an extension to know if the identity has signed the FPCA, or if the identity is in a particular group.
If you want better technical background on openid, Patrick did an excellent classroom session on it not long ago for us:
http://meetbot.fedoraproject.org/fedora-classroom/2013-02-22/fas-openid-clas...
kevin
On 05/03/13 10:39 PM, Kurt Seifried wrote:
can I use my existing openid? kurt.seifried.org http://kurt.seifried.org.
That's not really a question that makes sense. Fedora runs an OpenID provider which gives you an OpenID associated with your 'Fedora identity' - ultimately, it's backed by your FAS account. Your own OpenID is a completely different identity. The idea of 'using' your 'existing' OpenID with Fedora's OpenID provider is just not an idea that is compatible with how OpenID works.
----- Original Message -----
On 05/03/13 10:39 PM, Kurt Seifried wrote:
can I use my existing openid? kurt.seifried.org http://kurt.seifried.org.
That's not really a question that makes sense. Fedora runs an OpenID provider which gives you an OpenID associated with your 'Fedora identity' - ultimately, it's backed by your FAS account. Your own OpenID is a completely different identity. The idea of 'using' your 'existing' OpenID with Fedora's OpenID provider is just not an idea that is compatible with how OpenID works.
A lot of OpenID aware sites offers you possibility to bind your OpenID with the local account. And yes, sometimes it leads to strange results (based on how bad you implemented it). Last time I tried it with one local e-shop I ended in some account limbo ;-)
R.
-- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
On Wed 06 Mar 2013 09:24:02 AM EST, Jaroslav Reznik wrote:
----- Original Message -----
On 05/03/13 10:39 PM, Kurt Seifried wrote:
can I use my existing openid? kurt.seifried.org http://kurt.seifried.org.
That's not really a question that makes sense. Fedora runs an OpenID provider which gives you an OpenID associated with your 'Fedora identity' - ultimately, it's backed by your FAS account. Your own OpenID is a completely different identity. The idea of 'using' your 'existing' OpenID with Fedora's OpenID provider is just not an idea that is compatible with how OpenID works.
A lot of OpenID aware sites offers you possibility to bind your OpenID with the local account. And yes, sometimes it leads to strange results (based on how bad you implemented it). Last time I tried it with one local e-shop I ended in some account limbo ;-)
I encountered an issue recently with pypi.org, where it was treating http://sgallagh.id.fedoraproject.org and https://sgallagh.id.fedoraproject.org as separate accounts (up to a point where they were causing tracebacks because they shared the same email address).
So lesson learned: always drop the protocol prefix.
On 06/03/13 06:41 AM, Stephen Gallagher wrote:
I encountered an issue recently with pypi.org, where it was treating http://sgallagh.id.fedoraproject.org and https://sgallagh.id.fedoraproject.org as separate accounts (up to a point where they were causing tracebacks because they shared the same email address).
So lesson learned: always drop the protocol prefix.
The Verge does the same...the lesson I chose to learn was just to always use https, though.
On Wed, Mar 06, 2013 at 07:21:49PM -0800, Adam Williamson wrote:
On 06/03/13 06:41 AM, Stephen Gallagher wrote:
I encountered an issue recently with pypi.org, where it was treating http://sgallagh.id.fedoraproject.org and https://sgallagh.id.fedoraproject.org as separate accounts (up to a point where they were causing tracebacks because they shared the same email address).
So lesson learned: always drop the protocol prefix.
The Verge does the same...the lesson I chose to learn was just to always use https, though.
Note -- I made the same decision but I found out from puiterwijk that that should be raising an error in the relying party (the website asking that you auth with fedora's openid). The reason? We don't have SSL certificates for all possible [username].id.fedoraproject.org domains.
In practice I never encountered a site that worked with our http:// identities but not our https:// identities. Makes you wonder about quality of implementations a bit....
-Toshio
Once upon a time, Toshio Kuratomi a.badger@gmail.com said:
Note -- I made the same decision but I found out from puiterwijk that that should be raising an error in the relying party (the website asking that you auth with fedora's openid). The reason? We don't have SSL certificates for all possible [username].id.fedoraproject.org domains.
https://%5Busername%5D.id.fp.o uses a wildcard SSL cert for *.fp.o, but in SSL wildcard matching, a "*" does not match a ".". This means that id.fp.o is matched with *.fp.o, but [username].id.fp.o is not.
There would have to be an SSL cert for *.id.fp.o, which would mean DNS for *.id.fp.o couldn't CNAME to wildcard.fp.o, or the wildcard.fp.o server and all SSL-using clients trying to access *.id.fp.o would have to support TLS SNI.
On 06/03/13 06:24 AM, Jaroslav Reznik wrote:
----- Original Message -----
On 05/03/13 10:39 PM, Kurt Seifried wrote:
can I use my existing openid? kurt.seifried.org http://kurt.seifried.org.
That's not really a question that makes sense. Fedora runs an OpenID provider which gives you an OpenID associated with your 'Fedora identity' - ultimately, it's backed by your FAS account. Your own OpenID is a completely different identity. The idea of 'using' your 'existing' OpenID with Fedora's OpenID provider is just not an idea that is compatible with how OpenID works.
A lot of OpenID aware sites offers you possibility to bind your OpenID with the local account. And yes, sometimes it leads to strange results (based on how bad you implemented it). Last time I tried it with one local e-shop I ended in some account limbo ;-)
Sure, but that's not at all the same thing as 'using' an OpenID with *another* OpenID. That's not a concept that makes any sense. Linking an OpenID with an account for some service makes perfect sense; it's really just saying 'I declare that this OpenID should be able to authenticate to this account'. It would be a Possible Thing for Fedora to say 'you can log in to Fedora services using third-party OpenIDs'. We don't do that now, but we could. But there's no way we could say 'you can use your external OpenID with your Fedora OpenID'. It's like when you try to use the rubber duck with the chewing gum in an adventure game, or something. The protagonist will just look at you funny and pass a sarcastic remark. ;)
(Random thought: Wordpress both acts as an OpenID provider and allows you to log in via OpenID. I have not yet been brave enough to see what happens if I try to log in to my blog using the OpenID that it provides for the admin account. I suspect the answer may be 'The Singularity'...:>)
Adam Williamson wrote:
On 05/03/13 10:39 PM, Kurt Seifried wrote:
can I use my existing openid? kurt.seifried.org http://kurt.seifried.org.
That's not really a question that makes sense. Fedora runs an OpenID provider which gives you an OpenID associated with your 'Fedora identity' - ultimately, it's backed by your FAS account. Your own OpenID is a completely different identity. The idea of 'using' your 'existing' OpenID with Fedora's OpenID provider is just not an idea that is compatible with how OpenID works.
OpenID actually supports delegation, so technically it would be possible for (accountname).id.fedoraproject.org to forward to kurt.seifried.org. But does it make sense in practice? I doubt it.
Kevin Kofler
Hi,
On Tue, Mar 05, 2013 at 05:19:50PM -0700, Kevin Fenzi wrote:
More information is available at:
I hope that nobody used that until now, otherwise I am disappointed that nobody noticed before me that Firefox does not properly validate https://id.fedoraproject.org/
saying "your connection to the site is only partially encrypted and does not prevent eavesdropping". I assume the problem is this entry from the CSS file:
@import url(http://fonts.googleapis.com/css?family=Cantarell:400,700);
And this opens the question why a central Fedora service is using third party, probably non-FOSS services leading only to less security.
Regards Till
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed 01 May 2013 11:15:30 AM EDT, Till Maas wrote:
Hi,
On Tue, Mar 05, 2013 at 05:19:50PM -0700, Kevin Fenzi wrote:
More information is available at:
I hope that nobody used that until now, otherwise I am disappointed that nobody noticed before me that Firefox does not properly validate https://id.fedoraproject.org/
saying "your connection to the site is only partially encrypted and does not prevent eavesdropping". I assume the problem is this entry from the CSS file:
@import url(http://fonts.googleapis.com/css?family=Cantarell:400,700);
And this opens the question why a central Fedora service is using third party, probably non-FOSS services leading only to less security.
Regards Till
This has been noticed and fixed. It should be going into production soon (it's in staging now).
https://github.com/fedora-infra/fas-openid/issues/14
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hello,
This should now be fixed in production as well. If you see the same bug, please notify me.
Patrick
-
Adam Williamson -
Chris Adams -
Christopher Meng -
Jaroslav Reznik -
Kevin Fenzi -
Kevin Kofler -
Kurt Seifried -
Patrick マルタインアンドレアス Uiterwijk -
Pierre-Yves Chibon -
Stephen Gallagher -
Till Maas -
Toshio Kuratomi