|
|
| (16 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| − | {{#eclipseproject:technology.higgins|eclipse_custom_style.css}}
| + | #REDIRECT [[Higgins Web Selector]] |
| − | [[Image:Higgins_logo_76Wx100H.jpg|right]] | + | |
| − | | + | |
| − | ==Introduction==
| + | |
| − | | + | |
| − | [[Image:Webbased.png|thumbnail|OpenID AX flow]]
| + | |
| − | | + | |
| − | The Higgins Web Proxy is a web application which allows users to access and use their i-cards via the [http://www.openid.net OpenID protocol], without the need for any locally installed selector. This can be useful on platforms where selector software is not available, as well as in scenarios in which the requirement for users to install extra software is considered to be unacceptable.
| + | |
| − | | + | |
| − | The Higgins Web Proxy functions as an OpenID IdP for use by standard OpenID RPs. It supports the following types of OpenID requests:
| + | |
| − | * '''OpenID Authentication 1.1 and 2.0''': This simply authenticates the user, without using i-cards
| + | |
| − | * '''OpenID Attribute Exchange 1.0 Fetch''': This allows the RP to request an i-card from the user
| + | |
| − | * '''OpenID Attribute Exchange 1.0 Store''': This allows the RP to offer a new i-card to the user
| + | |
| − | | + | |
| − | The Higgins Web Proxy uses the [[I-Card Service Web App]] for retrieving and managing the user's i-cards.
| + | |
| − | | + | |
| − | The OpenID identifier (which can be a URI or an XRI) consists of a preconfigured base part, and a dynamic part which directly maps to the user's account name in the Higgins [[I-Card Service]].
| + | |
| − | | + | |
| − | For example, if the user's Higgins account name is "joe", then they could use the following OpenIDs:
| + | |
| − | * '''my.server.com/joe''' - URI form
| + | |
| − | * '''=my*joe''' - XRI form
| + | |
| − | | + | |
| − | ===Security/Privacy Considerations===
| + | |
| − | | + | |
| − | The main downside of this approach is reduced privacy, since the i-cards of a user become highly correlatable via the OpenID identifier that is being authenticated.
| + | |
| − | | + | |
| − | The Higgins Web Proxy does not reveal the existence/non-existence of user accounts in the [[I-Card Service]] to unauthorized users. It initially answers requests to any identifier and only checks its existence at the point when the user enters their password.
| + | |
| − | | + | |
| − | ==End-User Perspective ==
| + | |
| − | | + | |
| − | End-users of the [[Higgins Web Proxy]] do not need to install anything. From their perspective, everything happens in the browser. However, they need to know the following:
| + | |
| − | | + | |
| − | * Their account name and password in the Higgins [[I-Card Service]].
| + | |
| − | * How to form an OpenID identifier from their account name.
| + | |
| − | | + | |
| − | E.g. if their account name is '''joe''', they need to know that they can use the OpenID identifiers '''http://my.server.com/joe''' or '''=myserver*joe'''.
| + | |
| − | | + | |
| − | Other than that, all the end-user needs to do is select an i-card and (if the card is password protected) enter the i-card's password, just like they would in an installed selector.
| + | |
| − | | + | |
| − | Example OpenID relying party:
| + | |
| − | | + | |
| − | [[Image:Higgins-web-proxy-shot1.png]]
| + | |
| − | | + | |
| − | The Higgins Web Proxy authenticating the user:
| + | |
| − | | + | |
| − | [[Image:Higgins-web-proxy-shot2.png]]
| + | |
| − | | + | |
| − | The Higgins Web Proxy asking the user to select an i-card:
| + | |
| − | | + | |
| − | [[Image:Higgins-web-proxy-shot3.png]]
| + | |
| − | | + | |
| − | ==Deployer Perspective==
| + | |
| − | | + | |
| − | The [[Higgins Web Proxy]] is a Java web application which can be deployed in a standard servlet container.
| + | |
| − | | + | |
| − | ===Configuration===
| + | |
| − | | + | |
| − | The main configuration file is WEB-INF/application.properties.:
| + | |
| − | * '''rpps''': This is the endpoint of the Higgins [[I-Card Service Web App]] which is used to authenticate users as well as access their i-cards.
| + | |
| − | * '''server-url''': This is the absolute URL to the Higgins Web Proxy. You have to set this according to your environment.
| + | |
| − | * '''xri-providerid''': The i-number of the parent XRI for your community i-names. This is only needed to support XRI OpenIDs.
| + | |
| − | | + | |
| − | Other files:
| + | |
| − | * '''*.jsp''': These files can be customized for appearance.
| + | |
| − | * '''top.txt''' and '''bottom.txt''': These files are included by the *.jsp files and can also be customized for appearance.
| + | |
| − | * '''discovery-uri''': This file is served when an OpenID RP performs discovery on a URI OpenID. It can be customized for appearance.
| + | |
| − | * '''discovery-xri''': This file is served when an OpenID RP performs discovery on an XRI OpenID. This should not be changed.
| + | |
| − | | + | |
| − | ===URI OpenID Identifiers===
| + | |
| − | | + | |
| − | Users can use the following URI identifiers at OpenID relying parties:
| + | |
| − | | + | |
| − | '''(server-url) / (Higgins account name)'''
| + | |
| − | | + | |
| − | E.g. if the Higgins Web Proxy is deployed at '''http://my.server.com''', and your Higgins account name is '''joe''', then you can use the following URI OpenID identifier:
| + | |
| − | | + | |
| − | '''http://my.server.com/joe'''
| + | |
| − | | + | |
| − | ===XRI OpenID Identifiers===
| + | |
| − | | + | |
| − | Users can use the following XRI identifiers at OpenID relying parties:
| + | |
| − | | + | |
| − | '''(parent-xri) * (Higgins account name)'''
| + | |
| − | | + | |
| − | E.g. if the parent XRI is '''=myserver''', and your Higgins account name is '''joe''', then you can use the following XRI OpenID identifier:
| + | |
| − | | + | |
| − | '''=myserver*joe'''
| + | |
| − | | + | |
| − | This assumes that the parent XRI has been properly configured to delegate XRI authority resolution to the Higgins Web Proxy, e.g. with a service endpoint like this:
| + | |
| − | | + | |
| − | <pre>
| + | |
| − | <Service priority="10">
| + | |
| − | <ProviderID>xri://=!89F9.2C84.ACEA.F2F0</ProviderID>
| + | |
| − | <Type select="true">xri://$res*auth*($v*2.0)</Type>
| + | |
| − | <MediaType select="false">application/xrds+xml</MediaType>
| + | |
| − | <URI append="none" priority="2">http://my.server.com/</URI>
| + | |
| − | </Service>
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | ==Developer Perspective==
| + | |
| − | | + | |
| − | ===Architecture===
| + | |
| − | | + | |
| − | The [[Higgins Web Proxy]] is a standalone web application.
| + | |
| − | | + | |
| − | ===Building===
| + | |
| − | | + | |
| − | The [[Higgins Web Proxy]] projects are:
| + | |
| − | * app/org.eclipse.higgins.proxy.web (the Higgins Web Proxy itself)
| + | |
| − | * app/org.eclipse.higgins.proxy.test (an example OpenID RP)
| + | |
| − | | + | |
| − | These project can be checked out from the Eclipse repository at the following SVN URIs:
| + | |
| − | | + | |
| − | {| class="wikitable" style="text-align:left; border="1" cellpadding="5" cellspacing="0"
| + | |
| − | |-
| + | |
| − | | https://dev.eclipse.org/svnroot/technology/org.eclipse.higgins/trunk/app/org.eclipse.higgins.proxy.web
| + | |
| − | | https://dev.eclipse.org/svnroot/technology/org.eclipse.higgins/trunk/app/org.eclipse.higgins.proxy.test
| + | |
| − | |-
| + | |
| − | |}
| + | |
| − | | + | |
| − | ===Developing an OpenID RP===
| + | |
| − | | + | |
| − | The Higgins Web Proxy should work with any standard OpenID RP. For a list of tools for developing such RPs, see http://openidenabled.com/.
| + | |
| − | | + | |
| − | '''How to authenticate the user'''
| + | |
| − | | + | |
| − | Authenticating users does not involve i-cards. The OpenID initiates a standard OpenID Authentication request. The Higgins Web Proxy then simply asks the user for their Higgins account password and returns an OpenID Authentication response to the RP.
| + | |
| − | | + | |
| − | '''How to request an i-card'''
| + | |
| − | | + | |
| − | In order to a ask the user to select an i-card, the OpenID RP has to use the '''Attribute Exchange''' (AX) extension with a '''Fetch''' request. The attribute identifiers which the RP wants to request are simply the claim URIs from the user's i-cards. E.g. if the RP would like to request the request claims "first name" and "e-mail address", as well as the optional claim "last name", then the OpenID AX parameters could look like this:
| + | |
| − | | + | |
| − | <pre>
| + | |
| − | openid.ns.ax=http://openid.net/srv/ax/1.0
| + | |
| − | openid.ax.mode=fetch_request
| + | |
| − | openid.ax.type.emailaddress=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
| + | |
| − | openid.ax.type.givenname=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
| + | |
| − | openid.ax.type.surname=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
| + | |
| − | openid.ax.required=emailaddress,givenname
| + | |
| − | openid.ax.if_available=surname
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | '''How to offer an i-card'''
| + | |
| − | | + | |
| − | In order to offer the user a new i-card, the OpenID RP has to use the '''Attribute Exchange''' (AX) extension with a '''Store''' request. The request must contain a special attribute with the alias '''icard''' whose value must be the i-card in XML format that is being offered to the user.
| + | |
| − | | + | |
| − | == See Also ==
| + | |
| − | * [[Solutions 1.1]]
| + | |
| − | | + | |
| − | == Links ==
| + | |
| − | * [http://openid.net/specs/openid-authentication-1_1.html OpenID Authentication 1.1]
| + | |
| − | * [http://openid.net/specs/openid-authentication-2_0.html OpenID Authentication 2.0]
| + | |
| − | * [http://openid.net/specs/openid-attribute-exchange-1_0.html OpenID Attribute Exchange 1.0]
| + | |
| − | | + | |
| − | [[Category:Higgins Solutions]]
| + | |
