Moving to OpenID

OpenID logo
OpenID logo

From today, this blog will be supporting OpenID authentication [edit: support removed, see the comments], meaning that it is possible to log in and comment using such familiar login names like the ones that you already have at Google.com, Yahoo, LiveJournal, Blogger, Flickr, MySpace, WordPress.com or elsewhere. (Read more from here.) Open registration to this site appeared only to attract spammers, and there are many benefits from using OpenID. And if you are interested in implementing OpenID authenticating at your own site, it is relatively easy these days. (Setting it up into this blog took less than 10 minutes, hooray! 🙂

Author: frans

Professor of Information Studies and Interactive Media, esp. Digital Culture and Game Studies in the University of Tampere, Finland.

6 thoughts on “Moving to OpenID”

  1. Ok, guess it wasn’t quite so easy. My first attempt to login with an OpenID (my Gmail account) produced a “500 – Internal server error”. Shame — any tips from someone who has been able to install OpenID plugin successfully to a WordPress blog running on a Windows Server are most welcome!

  2. Implementing OpenID login got more and more complicated as I looked further into this. Currently I am getting “certificate verify failed” error when trying to log in using my Gmail ID. I have tried the tips that are available in the FAQ page (here: http://wordpress.org/extend/plugins/openid/faq/). The plugin seems to rely on secure SSL transaction protocol, and this is apparently connected to the CA (certificate authority) verification about my identity. Getting a commercial, domain level CA certificate appears to cost few hundred euros per year (Verisign’s one year SSL secure site offer is $399 per year). Even while I like OpenID, I am not ready to pay those sums just for increased ease of login options. The plugin FAQ page nevertheless confirms: “Be aware that you will almost certainly have trouble with this if you are not using a certificate purchased from a well-known certificate authority.”

  3. A commercial SSL cert is only necessary if you want to use SSL with the built-in OpenID provider. For example, if I wanted to use https://willnorris.com/ as my OpenID instead of just http://willnorris.com/. It is not necessary for consumer HTTPS OpenIDs. What **does** effect this however is the CA cert bundle on your server (the second FAQ item)

    All that being said, it does look like there is either something setup weird on your server, or a bug in the OpenID plugin… I keep getting an OpenID log message displayed when I submit this comment form.

  4. Thanks Will, I appreciate the comment. I will continue to debug this setup when I have again more time at my hands. My gut reaction is that this must be yet another issue where Windows Server 2008 environment is not completely similar from e.g. Linux, which appears to be much more common as the development and production environments of WordPress blogs. But then again, this might be related to something else. I did put the error reporting to “detailed” mode in IIS7, and it continues to display this when I try to login using my Gmail ID:

    Got no response code when fetching https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2
    CURL error (60): SSL certificate problem, verify that the CA cert is OK. Details:
    error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  5. This error continues to bug me. I now even went out and bought a commercial SSL certificate for unet.fi domain (hopefully it will be useful also in some other occasion), installed it to IIS7 web server, all seems to be fine now and SSL/HTTPS communications enabled through the firewall (port 443 forward set), but no. The same “certificate verify failed” error persists. It now seems likely I need to dig deeper into how cURL has been implemented in Windows Server 2008/IIS7/PHP5. I did found this page of instruction (http://www.vividreflection.com/blog/secret-to-curl-in-php-on-windows/ ), but unfortunately the cURL archives it links to do not seem to hold any “curl-ca-bundle.crt” file any more, so that set of instructions does not work. OpenID plugin page reports that its status is OK:

    [INFO] PHP version: 5.3.0
    [INFO] PHP memory limit: 128M
    [INFO] Include Path:
    C:\inetpub\wwwroot\fransblog\wp-admin
    [INFO] WordPress version: 2.8.4
    [INFO] PHP OpenID Library Version: 2.1.2
    [INFO] MySQL version: mysqlnd 5.0.5-dev - 081106 - $Revision: 1.3.2.27 $
    [INFO] WordPress' table prefix: wp_
    [OK] Curl Support: Version 7.19.4. SSL: OpenSSL/0.9.8k. zlib: 1.2.3. Supports: tftp, ftp, telnet, dict, ldap, http, file, https, ftps, scp, sftp.
    [OK] Big Integer support: GMP is installed.
    [INFO] Plugin Revision: 519
    [INFO] Plugin Database Revision: 24426
    [INFO] XRDS-Simple: XRDS-Simple plugin is installed.
    [OK] Overall Plugin Status
  6. Unfortunately I could not get the OpenID plugin to work with my site. I tried to hack cURL and play with various DLL files and CA certificate bundles to get the OpenID authentication to work, but it just did not happen. Also, while testing the SSL functionality I installed “Admin SLL” plugin, but that would put my WordPress login screen into an infinite loop — nasty! From my perspective, it looks like there are still a couple of things to sort out before the authentication technologies really have the “out of the box” level of reliability that would appeal to a regular user. Sad, but that is really the case for me at least, at the moment.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s