Demoxi Partner Implementation for OpenID-based Auto Sign-In

2007.12.8
Copyright 2007-2008, Demoxi, Inc.

Table of Contents

• Introduction
• Terms used
• How it works
• Implementation
• Side issues
• Further reference for implementing OpenID

Back to top

Introduction

Demoxi now supports simple autodiscovery and authentication for Demoxi members on partner websites. This document describes this feature and the partner's part of the implementation.

Back to top

Terms used

End User refers to the visitor of your site you wish to authenticate automatically through Demoxi. Relying Party refers to you, the Demoxi partner. You are relying upon the authentication provided by Demoxi. Server refers to Demoxi, which is in this case also the Identity Provider. You may recognize this terminology from OpenID. Demoxi's automatic authentication is built on the OpenID standard. You may refer to its documents regarding the role of the Relying Party.

There are more details, help, and free software libraries at OpenID Enabled: http://www.openidenabled.com/

Flow chart of the OpenID process: http://openid.net/pres/protocolflow-1.1.png

Back to top

How it works

A Demoxi member navigates to your site with his Internet browser. Inside the is an invisible HTML clue for Demoxi to discover. The clue contains your Relying Party script's URL. Demoxi automatically initiates an OpenID validation process between your Relying Party and our Server.

The Server lets your Relying Party know that the Demoxi member is valid and returns the member's nickname.

You are then free to do a single sign-in ticket/cookie or to create a local user account based on this information. At this time the only user information that is available is the OpenID identifier and the user's nickname. The user information returned in the automatic validation may expand in the future.

Since the process is only initiated by a validated member's client, the Demoxi member will always be returned as valid in the automatic request cycle. If, for some reason, they are not valid or it is a manual attempt to bypass security, the OpenID request cycle will fail.

Back to top

Implementation

There are only two steps to setup automatic authentication through Demoxi.

1. Set-up OpenID Relying Party (nee Consumer)

   Set up your site to be an OpenID Relying Party, formerly known as OpenID ``Consumer.'' The Relying Party script is a simple web form following the OpenID specification. This is language independent and there are freely available implementations in most open source programming languages; see below.

   Various libraries in many languages: http://openid.net/wiki/index.php/Libraries

   A PHP version from the list is available from JanRain -- http://www.openidenabled.com/php-openid/ -- just download the package and point your browser to the files in examples/consumer/.

   Demoxi plans to release a Perl the Net::OpenID manpage-based implementation in the future. In the meantime

   Your Relying Party must accept only one GET parameter: openid_url. The openid_url will be the Demoxi member's identifier. It will be automatically submitted to your form without a scheme or path. E.g., openid_url=somebody.demoxi.net

2. Embed your Relying Party's URL in your page

   Add the following HTML to a page in your site.

      <div id="demoxi_af2b4e6c93a7408b8eb2095bb6fddcce"
         style="visibility:hidden;display:none;">
         http://example.com/relying-party-script.ext
      </div>
   

   The id attribute must be demoxi_af2b4e6c93a7408b8eb2095bb6fddcce, as shown, for autodiscovery to function. The contents of the div must be an absolute URL to your Relying Party script.

   IMPORTANT: This HTML must only be displayed to users who are not already authenticated on your site. The HTML triggers an automatic sign-in cycle. If the HTML is shown to users who are signed-in, it will automatically sign-in endlessly.

   Alternatively this could be placed on only your site's sign-in page. probably your site's regular sign-in page.

Back to top

Side issues

You will probably want to auto generate a user account on your website with the validated visitor's OpenID. OpenIDs may be 255 characters long. OpenIDs must resolve to a valid URI. To save or add this value in a database you would probably want a column definition that looks like:

  `identity` VARCHAR(255) UNIQUE

They are unique to individual owners so you should constrain them in your database.

Back to top

Further reference for implementing OpenID

• OpenID overview, http://openid.net/about.bml
• OpenID wiki http://openid.net/wiki/index.php/Main_Page
• OpenID specifications, http://openid.net/specs.bml (Demoxi is currently supporting 1.1 or higher)
• OpenID code libraries, http://openid.net/wiki/index.php/Libraries

Back to top