[Zope-dev] Single Sign On

Marius Gedminas marius at gedmin.as
Thu Feb 19 02:07:49 EST 2009 

On Wed, Feb 18, 2009 at 09:00:10AM -0500, Gary Poster wrote:
> On Feb 17, 2009, at 7:55 PM, Shane Hathaway wrote:
> 
> > Gary Poster wrote:
> >> Launchpad uses OpenID.  We don't have that slated for abstraction  
> >> and open-sourcing immediately. However, most of the Launchpad code  
> >> (including this bit) is to be open-sourced by this summer,  
> >> abstracted or not.  Therefore, we should at least be able to give  
> >> you some idea of what we have done before then.
> >> I've forwarded your email to the primary implementer/designer of  
> >> our OpenID integration.  Hopefully he can directly participate, or  
> >> at least give me some answers to forward to you.
> >
> > Cool, thanks.
> >
> >> Generally, we're using python-openid for the Zope code, and an  
> >> Apache plugin as a front-end for hooking up other bits.
> >
> > In that case, what do you pass to Consumer.begin()?  It expects a  
> > user URL and no password, yet launchpad.net accepts a user name and  
> > password.
> >
> > Shane
> 
> Hi Shane.  Francis Lacoste gave this answer:
> 
> We use the OpenID 2.0 identifier select URL. This is a special OpenID
> url that basically means: identity using whatever ID you have on that
> server.
> 
> The OpenID response will contain the actual OpenID identifier of the
> user at the end of the request.
> 
> So sites that we integrate in our SSO simply sends you to Launchpad
> for authentication and then uses the returned identifier to link with
> their local account representation. We also use sreg (Simple
> Registration) to  transfer information about the account to the
> integrated sites, so that they can update their local account
> representation with the central data.

I have the impression that you're talking past each other.

There are two ways of using OpenID:

  * you can be an OpenID provider, i.e. accept logins with username &
    password and respond to authentication requests from other websites
    confirming that the user does own this particular OpenID.

  * you can be an OpenID consumer, i.e. accept OpenID URLs from users
    and ask the corresponding OpenID provider to validate them.

It's my impression that launchpad.net is an OpenID provider only, while
Shane is trying to figure out how to use the OpenID consumer API in
AuthKit.

I could be mistaken about any of the particular points here.

Marius Gedminas
-- 
http://pov.lt/ -- Zope 3 consulting and development
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20090219/35e39869/attachment.bin

More information about the Zope-Dev mailing list