đŸ Archived View for tilde.pink âș ~ssb22 âș openid-cli.gmi captured on 2024-02-05 at 10:29:47. Gemini links have been rewritten to link to archived content
âŹ ïž Previous capture (2023-01-29)
-=-=-=-=-=-=-
Some âblogâ (Web log) platforms require OpenID if you wish to leave your name and URL on a comment.âAlthough many OpenID providers verify you in-browser, OpenID was originally designed to be compatible with out-of-browser verification methods too (e.g. the server calls you by telephone and asks for a one-time code to show it *was* you who just tried to log in), and this kind of approach doesnât seem to have been used as much.
For Unix or GNU/Linux users with home server equipment, the obvious setup is an OpenID server running in a terminal window (on the desktop or Linux console, or over SSH), and asking its questions via that terminal.âItâs out-of-browser verification and you donât need a telephony service.âThe main disadvantage is it cannot be used on platforms that restrict themselves to a small number of well-known OpenID providers instead of allowing everybody to run one.
This simple script openid-cli.py can be used with python-openid.
It expects a file called openid_config.py containing something like:
local_addr = ('localhost', 8100)
public_endpoint_url = "http://home-server.example.org/openid"
profile = { "fullname":"A. N. Other", "nickname":"A.N.O." }
and in your home serverâs /etc/nginx/sites-enabled/default (or equivalent for Apache),
location /openid {
proxy_pass http://localhost:8100;
}
so that requests for /openid are sent to the script.âRunning the script will then prompt you to add the correct markup to your home pageâs <head> section, whereupon you should be able to use your home pageâs URL as an OpenID logon and confirm in the terminal.
(You do not have to keep the script running at times when youâre not expecting to use OpenID, nor do you have to keep the markup in your home pageâs <head> section at other times.âYou should be able to set this up as a âone-offâ to log in to something via OpenID, and take it down again afterwards.)
Some providers (e.g. BlogSpot in 2017) assume they can put https instead of http at the start when sending your browser to a âcheckid_setupâ URL (and they donât do âcheckid_immediateâ), so, if your nginx doesnât do HTTPS, youâll have to delete the s in your browserâs address bar when it tries to load an https page from your home server.â(The security of that request is irrelevant if the whole point of this setup is to ask you the important question *in the terminal* not the browser.)
If using the default port 80 for HTTP traffic, you may wish to ensure your home serverâs firewall allows a proper âclosedâ response on port 443 so the browser doesnât wait too long trying to load the https page before presenting you with the error condition and letting you edit the URL.â(If you are using a port other than 80, a provider that assumes https will have your browser attempt HTTPS negotiations on that alternate port, likely creating needless clutter in your logs.)
All material © Silas S. Brown unless otherwise stated. Apache is a registered trademark of The Apache Software Foundation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. OpenID is a registered trademark of the OpenID Foundation. Unix is a trademark of The Open Group. Any other trademarks I mentioned without realising are trademarks of their respective holders.