From kevin at janrain.com  Tue Apr 11 11:00:30 2006
From: kevin at janrain.com (Kevin Turner)
Date: Tue, 11 Apr 2006 11:00:30 -0700
Subject: OpenID and case sensitivity
Message-ID: <1144778431.4511.46.camel@lobster.janrain.com>

Hi Jenna,

I found your conversation on #openid in my scrollback this morning,
regarding case sensitivity of OpenID URLs.

I strongly recommend you do treat these strings as case-sensitive and do
not perform case transformations on them.  There is, as you say, some
danger of confusing accounts if consumer and server handle case
differently, and I think the best way to avoid that confusion is to
allow the server to determine the policy.

If the server wishes to spare its users the trouble of remembering the
case of their usernames, there is a mechanism by which they may do so.
For example, if I enter "http://keTuRN.myopenid.com/", the server will
issue redirects to http://keturn.myopenid.com/.  The OpenID spec says "A
consumer must canonicalize the URL, following redirects and noting the
final URL.  The final, canonicalized URL is the user's identity URL."

The string your application should be using to identify the user is the
one returned by the complete_auth method.  That is the identity the
server has made an assertion about, and it should always be the same
case for the same account.  If it's not, I think that's the time when it
would be appropriate for you to visit your wrath upon them.

Here's hoping you have a wrath-free day,

 - Kevin (keturn on #openid)


p.s.  We're curious -- what consumer are you working on?

-- 
http://www.openidenabled.com/



From sherwin at saturn.emc.com.ph  Sun Apr 23 01:15:45 2006
From: sherwin at saturn.emc.com.ph (Sherwin Daganato)
Date: Sun, 23 Apr 2006 16:15:45 +0800
Subject: [bug?] example consumer in PHP OpenID 1.0.0 no longer works with
	livejournal
Message-ID: <20060423081545.GA27146@saturn.emc.com.ph>

$status returned by completeAuth method in line 11 of "finish_auth.php"
is "failure". 

However, the library which can be found at
http://videntity.org/tp/downloads/PHP-OpenID-0.0.8.3.tar.bz2
still works.

=-=-=-=-=-=-

FROM examples/consumer/finish_auth.php:
10 // Complete the authentication process using the server's response.
11 list($status, $info) = $consumer->completeAuth($token, $_GET);
12
13 $openid = null;
14
15 // React to the server's response.  $info is the OpenID that was
16 // tried.
17 if ($status != Auth_OpenID_SUCCESS) {
18     $msg = sprintf("Verification of %s failed.", $info);
19 } else {



From sherwin at saturn.emc.com.ph  Sun Apr 23 04:27:25 2006
From: sherwin at saturn.emc.com.ph (Sherwin Daganato)
Date: Sun, 23 Apr 2006 19:27:25 +0800
Subject: [bug?] example consumer in PHP OpenID 1.0.0 no longer works with
	livejournal
In-Reply-To: <20060423081545.GA27146@saturn.emc.com.ph>
References: <20060423081545.GA27146@saturn.emc.com.ph>
Message-ID: <20060423112725.GA29311@saturn.emc.com.ph>

On Sun, Apr 23, 2006 at 04:15:45PM +0800, Sherwin Daganato wrote:
> $status returned by completeAuth method in line 11 of "finish_auth.php"
> is "failure". 

Sorry to waste your time. I dug deeper and found that the error was 
triggered by "if ($v_sig != $sig) {" in "Auth/OpenID/Consumer.php".
It worked again after I removed the directory specified in $store_path.
I guess I should have checked the content of that directory before 
trying the example.



From chowells at janrain.com  Mon Apr 24 10:43:23 2006
From: chowells at janrain.com (Carl Howells)
Date: Mon, 24 Apr 2006 10:43:23 -0700
Subject: PHP OpenID Library Example
In-Reply-To: <8F6910D1-9B55-4522-B72D-349439B548A2@verselogic.net>
References: <8F6910D1-9B55-4522-B72D-349439B548A2@verselogic.net>
Message-ID: <444D0E3B.3070807@janrain.com>

Hey, I remember you.

Yeah, the cryptography part is excessively slow in a default install of 
PHP 4.  The multiplications you're seeing done are the best we can 
manage.  But as you've seen, there are cases where it's just not enough. 
    Building PHP with GMP support would make it run orders of magnitude 
faster, as GMP is a library designed for integer math, whereas BC (the 
default PHP math library) is designed for floating point.

I'm CCing this email to dev at lists.openidenabled.com.  You should join 
the list, and look for additional followup there.  The PHP code is not 
my area of expertise -- I've basically told you everything I know about 
the topic.

Carl

Alan J Castonguay wrote:
> Carl Howells,
> 
> Email sent directly rather than on the yadis mailinglist, as they're 
> talking about Yadis now, not OpenID. However, if you think this issue is 
> important enough to everyone on the that it should have been sent to the 
> list, please either let me know and I can repost it there, or simply 
> reply to the list, quoting relevant parts.
> 
> I implemented my own OpenID consumer library way back when it was all 
> the rage, though I didn't understand the cryptology enough to do 
> anything more than dumb-mode. You helped me out a bit with that, 
> specifically in fixing broken identity url regexen[3].
> 
> Recently, I've been to get the JanRain PHP OpenID library example[1] to 
> work, in hopes of replacing my implementation library with it. However, 
> I've run into a snag that documentation has failed to unravel.
> 
> I installed the pear module, it gets included correctly. However, when I 
> try to verify an identity url, I get a spinning activity icon in Safari 
> or Firefox for ~40 seconds, and then a blank page with the url remaining 
> at try_auth.php[2]. I went into common.php and added a  
> error_reporting(E_ALL); at the top, and removed the @ before the 
> constructRedirect() call in try_auth.php. This revealed the following 
> error:
> 
> Fatal error: Maximum execution time of 30 seconds exceeded in 
> /usr/lib/php/Auth/OpenID/BigMath.php on line 215
> 
> Quick and dirty profiling indicates that most of the time is spent 
> calling bcmul() on some very large integers. Specifically, 2042 calls to 
> bcmul() succeed in that 30 seconds:
> 
>   # grep JanRainR messages | grep bcmul | wc
>     2042   18378 1015552
> 
> The numbers start off small, but php gives up when the first number is 
> around 309 digits.
> Apr 22 16:18:05 hikari JanRainS[27025]: session started
> ..
> Apr 22 16:18:06 hikari JanRainS[27025]: about to try bcmul(0,256)
> Apr 22 16:18:06 hikari JanRainS[27025]: about to try bcmul(0,256)
> Apr 22 16:18:06 hikari JanRainS[27025]: about to try bcmul(155,256)
> Apr 22 16:18:06 hikari JanRainS[27025]: about to try bcmul(39680,256)
> ..
> Apr 22 16:18:44 hikari JanRainS[27025]: about to try 
> bcmul(23363398405050990008306782255920806187474412737006722183025365727633868346476333015458625430148785739534210406257427052154811510437467734420678469884320274030519989577207834439633029040924670685872478487394719754924836625927770328754370515393562171598979614630819748859049121767601274881310668740808601290064,2336339840505099000830678225592080618747441273700672218302536572763386834647633301545862543014878573953421040625742705215481151043746773442067846988432027403051998957720783 
> 
>  ^^ that is cut off by limits in syslog message length
> 
> Slightly interesting is that the 30-second limit is being exceeded 
> slightly, usually around 40 seconds.
> 
> Is multiplying these huge numbers for so long, seemingly in a non-ending 
> increasing loop, normal practice? Is it just being run too slowly on my 
> hardware? Is a very inefficient library (like php's bcmul) being used 
> instead of something much faster as a result of missing libraries or 
> similar?
> 
> I can't seem to find documentation mentioning this, either on the yadis 
> list or openidenabled.com. If I have overlooked such documentation, 
> please send me a url that I might be enlightened. If not, why would this 
> be happening?
> 
> Thanks for reading,
>  Alan J Castonguay
> 
> 1: http://www.openidenabled.com/openid/libraries/php/
> 2: 
> http://openid.verselogic.net/janrainexample/try_auth.php?action=verify&openid_url=http%3A%2F%2Fverselogic.myopenid.com%2F 
> 
> 3: http://lists.danga.com/pipermail/yadis/2005-July/001275.html
> 
> 



From alan.openid at verselogic.net  Wed Apr 26 20:33:39 2006
From: alan.openid at verselogic.net (Alan J Castonguay)
Date: Wed, 26 Apr 2006 23:33:39 -0400
Subject: PHP OpenID Library Example
In-Reply-To: <444D0E3B.3070807@janrain.com>
References: <8F6910D1-9B55-4522-B72D-349439B548A2@verselogic.net>
	<444D0E3B.3070807@janrain.com>
Message-ID: <44503B93.90003@verselogic.net>

Carl Howells wrote:
> Hey, I remember you.
> 
> Yeah, the cryptography part is excessively slow in a default install of
> PHP 4.  The multiplications you're seeing done are the best we can
> manage.  But as you've seen, there are cases where it's just not enough.
>    Building PHP with GMP support would make it run orders of magnitude
> faster, as GMP is a library designed for integer math, whereas BC (the
> default PHP math library) is designed for floating point.

I've got GMP compiled into PHP5 now, and the improvement is amazing; now
the computations are being done in seconds rather than minutes.

> I'm CCing this email to dev at lists.openidenabled.com.  You should join
> the list, and look for additional followup there.  The PHP code is not
> my area of expertise -- I've basically told you everything I know about
> the topic.

Thanks for the invite, I shall see what interestingness I can bring.

To start off, what does the Auth_OpenID_MySQLStore() constructor expect to
be passed? There's 'mixed $connection' and 'connection $conn' listed as
required parameters in the documentation, though I'm not sure what either
of them are supposed to be, beyond "an established database connection".
Is that the sort of resourceID returned by mysql_connect(), or a pear
database abstraction class?


Auth_OpenID_SQLStore   Auth_OpenID_SQLStore  (mixed $connection, [string
$settings_table = null], [associations_table: $associations_table = null],
[nonces_table: $nonces_table = null], connection $conn)

#  connection  $conn: This must be an established connection to a database
of the correct type for the SQLStore subclass you're using.


http://www.openidenabled.com/resources/docs/openid/php/1.0.0/OpenID/Auth_OpenID_SQLStore.html#sec-method-summary


Alan J Castonguay


From cygnus at janrain.com  Thu Apr 27 09:30:32 2006
From: cygnus at janrain.com (Jonathan Daugherty)
Date: Thu, 27 Apr 2006 09:30:32 -0700
Subject: PHP OpenID Library Example
In-Reply-To: <44503B93.90003@verselogic.net>
References: <8F6910D1-9B55-4522-B72D-349439B548A2@verselogic.net>
	<444D0E3B.3070807@janrain.com> <44503B93.90003@verselogic.net>
Message-ID: <20060427163032.GC4191@janrain.com>

# To start off, what does the Auth_OpenID_MySQLStore() constructor
# expect to be passed? There's 'mixed $connection' and 'connection
# $conn' listed as required parameters in the documentation, though
# I'm not sure what either of them are supposed to be, beyond "an
# established database connection".

Hi,

Auth_OpenID_MySQLStore($conn) expects $conn to be a PEAR DB connection
instance.  This is true of all of the SQL-backed store classes
(SQLiteStore, MySQLStore, and PostgreSQLStore).  Sorry about that;
I'll make the docs clearer.  They all use the SQLStore constructor
which is where this is expected.

-- 
  Jonathan Daugherty
  JanRain, Inc.


From cygnus at janrain.com  Thu Apr 27 09:34:04 2006
From: cygnus at janrain.com (Jonathan Daugherty)
Date: Thu, 27 Apr 2006 09:34:04 -0700
Subject: PHP OpenID Library Example
In-Reply-To: <20060427163032.GC4191@janrain.com>
References: <8F6910D1-9B55-4522-B72D-349439B548A2@verselogic.net>
	<444D0E3B.3070807@janrain.com> <44503B93.90003@verselogic.net>
	<20060427163032.GC4191@janrain.com>
Message-ID: <20060427163403.GD4191@janrain.com>

# Auth_OpenID_MySQLStore($conn) expects $conn to be a PEAR DB
# connection instance.

I should add that if you already have your own database abstraction
mechanism (i.e. you're not using PEAR and you don't want to), you can
create your own PEAR-style database connection class by subclassing
Auth_OpenID_DatabaseConnection, which is defined in
Auth/OpenID/DatabaseConnection.php.  Just override most or all of the
methods of that class in your subclass and pass an instance of that as
$conn instead of a PEAR connection handle.

-- 
  Jonathan Daugherty
  JanRain, Inc.


From alan.openid at verselogic.net  Thu Apr 27 09:59:23 2006
From: alan.openid at verselogic.net (Alan J Castonguay)
Date: Thu, 27 Apr 2006 12:59:23 -0400
Subject: PHP OpenID Library Example
In-Reply-To: <44503B93.90003@verselogic.net>
References: <8F6910D1-9B55-4522-B72D-349439B548A2@verselogic.net>	<444D0E3B.3070807@janrain.com>
	<44503B93.90003@verselogic.net>
Message-ID: <4450F86B.8090401@verselogic.net>

I should have read the source of Auth_OpenID_MySQLStore() a little more it
seems. It appears a Pear DB connection is required. Are the docs[1] out of
sync?

$dsn = 'mysql://user:password at localhost/databasename';
$db =& DB::connect($dsn);
$store = new Auth_OpenID_MySQLStore( $db );

seems to work fine, but the tables are not being created properly. I went
hunting again, and found that the sql in sql['assoc_table'] (in
MySQLStore.php, line 32) wasn't working. I tried running it manually in
the mysql console to get a useful error message, and turned up this gem:

--
mysql> CREATE TABLE oid_associations (server_url BLOB, handle
VARCHAR(255), secret BLOB, issued INTEGER, lifetime INTEGER, assoc_type
VARCHAR(64), PRIMARY KEY (server_url(255), handle)) TYPE=InnoDB;

ERROR 1071: Specified key was too long. Max key length is 500
--

Seems mysql was a wee bit old[2]. Upgraded from mysqld v4.0.22 to 4.1.14,
and the problem ceased.


1: http://www.openidenabled.com/resources/docs/openid/php/1.0.0/
2: http://bugs.mysql.com/bug.php?id=2130


Alan J Castonguay wrote:
> Carl Howells wrote:
> 
>>Hey, I remember you.
>>
>>Yeah, the cryptography part is excessively slow in a default install of
>>PHP 4.  The multiplications you're seeing done are the best we can
>>manage.  But as you've seen, there are cases where it's just not enough.
>>   Building PHP with GMP support would make it run orders of magnitude
>>faster, as GMP is a library designed for integer math, whereas BC (the
>>default PHP math library) is designed for floating point.
> 
> 
> I've got GMP compiled into PHP5 now, and the improvement is amazing; now
> the computations are being done in seconds rather than minutes.
> 
> 
>>I'm CCing this email to dev at lists.openidenabled.com.  You should join
>>the list, and look for additional followup there.  The PHP code is not
>>my area of expertise -- I've basically told you everything I know about
>>the topic.
> 
> 
> Thanks for the invite, I shall see what interestingness I can bring.
> 
> To start off, what does the Auth_OpenID_MySQLStore() constructor expect to
> be passed? There's 'mixed $connection' and 'connection $conn' listed as
> required parameters in the documentation, though I'm not sure what either
> of them are supposed to be, beyond "an established database connection".
> Is that the sort of resourceID returned by mysql_connect(), or a pear
> database abstraction class?
> 
> 
> Auth_OpenID_SQLStore   Auth_OpenID_SQLStore  (mixed $connection, [string
> $settings_table = null], [associations_table: $associations_table = null],
> [nonces_table: $nonces_table = null], connection $conn)
> 
> #  connection  $conn: This must be an established connection to a database
> of the correct type for the SQLStore subclass you're using.
> 
> 
> http://www.openidenabled.com/resources/docs/openid/php/1.0.0/OpenID/Auth_OpenID_SQLStore.html#sec-method-summary
> 
> 
> Alan J Castonguay
> 
> _______________________________________________
> Dev mailing list
> Dev at lists.openidenabled.com
> http://lists.openidenabled.com/mailman/listinfo/dev



From cygnus at janrain.com  Thu Apr 27 10:18:22 2006
From: cygnus at janrain.com (Jonathan Daugherty)
Date: Thu, 27 Apr 2006 10:18:22 -0700
Subject: PHP OpenID Library Example
In-Reply-To: <4450F86B.8090401@verselogic.net>
References: <8F6910D1-9B55-4522-B72D-349439B548A2@verselogic.net>
	<444D0E3B.3070807@janrain.com> <44503B93.90003@verselogic.net>
	<4450F86B.8090401@verselogic.net>
Message-ID: <20060427171821.GE4191@janrain.com>

# I should have read the source of Auth_OpenID_MySQLStore() a little
# more it seems. It appears a Pear DB connection is required. Are the
# docs[1] out of sync?

Nope, the docs aren't really out of sync; they're just not very
verbose. :)

# $dsn = 'mysql://user:password at localhost/databasename';
# $db =& DB::connect($dsn);
# $store = new Auth_OpenID_MySQLStore( $db );

Yeah, that's correct.

# seems to work fine, but the tables are not being created properly. I went
# hunting again, and found that the sql in sql['assoc_table'] (in
# MySQLStore.php, line 32) wasn't working. I tried running it manually in
# the mysql console to get a useful error message, and turned up this gem:
# 
# --
# mysql> CREATE TABLE oid_associations (server_url BLOB, handle
# VARCHAR(255), secret BLOB, issued INTEGER, lifetime INTEGER, assoc_type
# VARCHAR(64), PRIMARY KEY (server_url(255), handle)) TYPE=InnoDB;
# 
# ERROR 1071: Specified key was too long. Max key length is 500
#
# Seems mysql was a wee bit old[2]. Upgraded from mysqld v4.0.22 to
# 4.1.14, and the problem ceased.

Thanks a ton for doing the research on this.  As it's considered a
bug, I'll add a "please upgrade" FAQ entry about it.  In our testing
here, we use MySQL 4.0.24 and we don't have that problem.

-- 
  Jonathan Daugherty
  JanRain, Inc.


From kevin at janrain.com  Fri Apr 28 19:13:05 2006
From: kevin at janrain.com (Kevin Turner)
Date: Fri, 28 Apr 2006 19:13:05 -0700
Subject: Python OpenID 1.2 prerelease
Message-ID: <1146276785.32071.124.camel@lobster.janrain.com>

Hi gang,

We've been a little lax about the news posts so far this spring, but
here's what's been going on:  The Yadis 1.0 specification was finalized
last month, which we're all very happy about.  And a few weeks back we
proposed a Simple Registration Extension[1] to OpenID, to make
registration at your OpenID enabled site even more streamlined.

All this stuff is live at Schtuff and MyOpenID, but you haven't seen any
code from us yet.  That's because, frankly, it isn't quite done.  The
code is tested, and we're using it in production here, but the
documentation we want to write for you isn't all there.  With weather
like this, it's been a terrible thing to have to choose between writing
documentation and riding bikes.

But I want you to have a chance to look at this during the Internet
Identity Workshop[2] next week, so I'm making a prerelease now.  Grab

http://www.openidenabled.com/resources/downloads/python-openid/python-openid-1.2.0pre1.tar.gz
http://www.openidenabled.com/resources/downloads/python-openid/python-yadis-1.0.0pre1.tar.gz
http://www.openidenabled.com/resources/downloads/python-openid/urljr-1.0.0.tar.gz

You'll need the yadis package if you want to take advantage of Yadis
with OpenID, and both of those packages depend on the "urljr" package --
it has code we needed for both and didn't want to duplicate.  We'll tidy
up the package management a bit so you everyone won't have to download
three tarballs when the finished release comes out.

If you have any questions, post 'em here, in #openid on
irc.freenode.net, or ask Brian, Josh, or Larry at next week's workshop.
Your questions will help us figure out what we need to focus on in
cleaning up those docs.

Is Python not your language?  Fear not, Ruby and PHP versions of this
code will be along soon, with Perl, C#, and Java not long after.

Happy hacking,

 - Kevin

1: http://www.openidenabled.com/openid/simple-registration-extension/
2: http://iiw.windley.com/

-- 
from JanRain, Inc.