Tuesday, April 22, 2008

OpenID login for Knowledgetree

I have replaced (not integrated) KnowledgeTree authentication with OpenID. Supporting both default and OpenID authentication requires more work and that can come later.

This is by no means final since only limited testing has been performed so far. I've decided to post this in its raw form so I can solicit comments and suggestions from the community. And besides, my blog has not been updated for awhile now..

I'll detail the procedures here. I took notes but I may have missed something. Diligence is not one of my virtues..

  • Copy login.php to login-orig.php (save original, let's modify login.php)
  • Change template ktcore/login -> ktcore/openid
  • Copy ./templates/ktcore/login.smarty to openid.smarty
    - change invocation of stylesheet kt-login.css -> kt-openid.css
    - change the Username prompt label to OpenID
    - add class="openid" to input tag for username
    - change name="username" to name="openid_url"
    - remove the password input field

  • Download the OpenID logo
  • Upload logo as openid-bg.png to ./resources/graphics
  • Copy ./resources/css/kt-login.css to kt-openid.css
  • Add input.openid to kt-openid.css, as follows:
    input.openid {
    border: 1px solid #666;
    width: 232px;
    background: url(../graphics/openid-bg.png) no-repeat;
    padding-left: 18px;
Note the OpenID logo in the input field. This is implemented by the input.openid section of the stylesheet. I also changed the input field name to openid_url in conformance to OpenID specifications. I'm using Verisign PIP as OpenID Identity Provider and the Seatbelt browser plug-in kicks in only when openid_url is used as identifier.

I installed version 2.x.x of the PHP OpenID Library, as follows:
  • Create the directory ./thirdparty/OpenID
  • Copy the file common.php found in the examples directory. Also copy the Auth directory from the library.
  • Add the following functions to common.php
    function fixslashes($s) {
    return get_magic_quotes_gpc() ? stripslashes($s) : $s;

    function normOpenIDUrl($oid_url) {
    $claimed_id = strtolower (fixslashes($oid_url));
    $has_scheme = preg_match ('#^https\://#', $claimed_id) === 1;
    $has_scheme = $has_scheme || preg_match ('#^http\://#', $claimed_id) === 1;
    $has_tslash = preg_match ('#/$#', $claimed_id) === 1;
    return (($has_scheme?'':'http://') . $claimed_id . ($has_tslash?'':'/'));
  • Overwrite the original functions in common.php with these
    function getReturnTo() {
    return sprintf("%s://%s:%s/login.php",
    getScheme(), $_SERVER['SERVER_NAME'],

    function getTrustRoot() {
    return sprintf("%s://%s:%s/",
    getScheme(), $_SERVER['SERVER_NAME'],
  • Change config/dmsDefaults.php to include the library in the path..
    $KTInit->prependPath(KT_DIR . '/thirdparty/OpenID');
The rest of the changes are in login.php, the source of which can be found here.

I've disabled automatic sign-up so make sure to create an OpenID account with Administrator privileges before you apply the changes. To prevent duplicate accounts, the usernames are OpenID URLs in normalized form (with leading http:// and trailing /). Thus, the username http://pipoltek.blogspot.com/ applies to any of the following acceptable OpenID identity URLs:
  • pipoltek.blogspot.com
  • http://pipoltek.blogspot.com
  • http://pipoltek.blogspot.com/
I've successfully authenticated using my OpenID accounts from Blogspot, Technorati and Verisign PIP. However, I had login failures using my Yahoo OpenID and a delegate identity URL.

My testbed:
  • VMWare Server version
  • KnowledgeTree OSS 3.4.2 VM Appliance from rPath
  • Microsoft Windows XP Home Service Pack 2
  • Mozilla Firefox

Sunday, April 6, 2008

Verisign Labs PIP, my favorite OpenID Provider

As a long-time user of Yahoo, Blogger, and Technorati, I inherited the following OpenIDs:

  • pipoltek.blogspot.com
  • me.yahoo.com/rexjunjose
  • technorati.com/people/technorati/rexjun
In due time, I may have another one courtesy of Flickr. I enrolled at myopenid.com and that added rexjun.myopenid.com to my arsenal of OpenIDs.

My last OpenID provider might as well be the PIP, or Personal Identity Provider, from Verisign Labs. And this is primarily due to their Seatbelt Firefox plugin which adds ease and security when using your OpenID.

SeatBelt detects that you have clicked on an OpenID sign in field while not signed into your PIP account and prompts you to sign in. Once you have signed in, SeatBelt automatically returns you to the OpenID sign in page with your PIP URL filled in. The sign in session continues as normal.

Since redirection to the login page of your OpenID provider is done by the Seatbelt browser plugin, you can be assured that you are sending your credentials to Verisign and not a probable fake one generated by a phishing site.

One other neat feature is support for OpenID delegation allowing me to use pipoltek.com as my OpenID URI in place of the lengthy rexjun.pip.verisignlabs.com. This is made possible by adding two link tags inside the head section of my home page.

Wait.. there's more! You can protect your Verisign PIP account with two-factor authentication by the use of a security card, token, or a Sandisk U3 flash drive. Verisign PIP even supports the US$5 Paypal security key aside from its own.

As a lead player in identity protection services and a recent member of the OpenID Foundation, one can expect Verisign to continue providing innovative solutions supportive of the OpenID framework. So far, I'm not disappointed.

Saturday, April 5, 2008

Getting and Using your OpenID

I stumbled upon OpenID last year when I was foraging for single sign-on resources in the Internet. It is interesting to note that OpenID has grown by leaps and bounds in just over a couple of years since its inception in 2005. At the start of the year, OpenID's popularity ballooned when Yahoo! launched the public beta of its own OpenID identity service. The following month, the OpenID Foundation announced that heavyweights Google, IBM, Microsoft, VeriSign, and Yahoo! have joined its board. This recent development gives promise of significant things yet to come.

OpenID aims to simplify one's online experience by providing an account that can be used across multiple websites. Blogger already supports OpenID commenting and a Wordpress plug-in is also available to achieve the same purpose. An OpenID is a passport to hundreds of sites listed here.

Some people strongly feel that using OpenID is akin to putting all eggs in one basket since a hacked account becomes a master-key to several sites all at once. The specter of phishing super-accounts is disturbing, and real. Privacy concerns are also associated with identity providers amassing too much personal data. One practical answer would be to have several OpenID accounts (there goes OpenID's mission) --- having five OpenIDs instead of juggling fifty accounts is still nirvana to me... Ok, make that thirty - I can't recall the twenty already! And anti-phishing counter-measures need to be present, either built-in or as a supplement, OpenID or not. Identity-theft is not limited to phishing --- a significant chunk of the world's netizens can easily lose their online identity due to weak passwords, key-loggers or plain social engineering tactics.
Ready to take on OpenID and its challenges? To enable a Yahoo! account for OpenID, start here. Most may not know it but AOL, Technorati, and Livejournal users already have an OpenID associated with their accounts. A blog owner at Blogger or Wordpress can use their blog url (e.g. pipoltek.blogspot.com) as OpenID account. If you're not one of the millions of Yahoo (248M) or AOL (63M) users, or just want to experiment with OpenID, a host of public OpenID identity providers can be availed of here.

Give it a spin by posting a hello on this blog using your OpenID account.