[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SMTP authentication using OpenID
|
From: |
Simon Josefsson |
|
Subject: |
SMTP authentication using OpenID |
|
Date: |
Wed, 28 Mar 2012 20:46:07 +0200 |
|
User-agent: |
Gnus/5.130004 (Ma Gnus v0.4) Emacs/24.0.94 (gnu/linux) |
The OPENID20 mechanism [1] allows you to authenticate against
SMTP/IMAP/XMPP/etc servers using OpenID in your web-browser. Version
1.7.2 of GNU SASL has a (hopefully) complete implementation, and it is
now ready for wider testing. There is documentation in the manual:
https://www.gnu.org/software/gsasl/manual/gsasl.html#OPENID20
To simplify testing, I have setup a SMTP interop server (see [2]) that
supports OpenID on the server side. The code for it is available here:
http://git.savannah.gnu.org/cgit/gsasl.git/tree/examples/openid20
See in particular the README:
http://git.savannah.gnu.org/cgit/gsasl.git/tree/examples/openid20/README
The client side of the OpenID SASL mechanism is trivial: basically send
your OpenID URL, get a redirect URL back and invoke that URL in the
users browser, and let the user finish authentication in the browser.
Once complete, the SASL server will let you in.
To test it, download and build gsasl-1.7.2:
address@hidden:~$ wget ftp://alpha.gnu.org/gnu/gsasl/gsasl-1.7.2.tar.gz
...
address@hidden:~$ tar xfz gsasl-1.7.2.tar.gz
address@hidden:~$ cd gsasl-1.7.2/
address@hidden:~/gsasl-1.7.2$ ./configure
...
address@hidden:~/gsasl-1.7.2$ sudo make install
...
Then use the 'gsasl' command line tool to talk with the interop server.
Here I am using my OpenID URL which is 'http://josefsson.org/' but you
can replace it with your own.
address@hidden:~$ gsasl -m OPENID20 -a http://josefsson.org/ --smtp
interop.josefsson.org 2000
Trying ‘interop.josefsson.org’...
220 localhost ESMTP GNU SASL smtp-server
EHLO [127.0.0.1]
250-localhost
250 AUTH ANONYMOUS EXTERNAL LOGIN PLAIN SECURID DIGEST-MD5 CRAM-MD5 SCRAM-SHA-1
OPENID20
EHLO [127.0.0.1]
250-localhost
250 AUTH ANONYMOUS EXTERNAL LOGIN PLAIN SECURID DIGEST-MD5 CRAM-MD5 SCRAM-SHA-1
OPENID20
AUTH OPENID20
334
biwsaHR0cDovL2pvc2Vmc3Nvbi5vcmcv
334
aHR0cHM6Ly9vcGVuaWQueXViaWNvLmNvbS9zZXJ2ZXIucGhwP29wZW5pZC5hc3NvY19oYW5kbGU9JTdCSE1BQy1TSEExJTdEJTdCNGY3MzU5YzklN0QlN0JqYnZwWnclM0QlM0QlN0Qmb3BlbmlkLmNsYWltZWRfaWQ9aHR0cCUzQSUyRiUyRmpvc2Vmc3Nvbi5vcmclMkYmb3BlbmlkLmlkZW50aXR5PWh0dHBzJTNBJTJGJTJGb3BlbmlkLnl1Ymljby5jb20lMkZzZXJ2ZXIucGhwJTJGaWRwYWdlJTNGdXNlciUzRGVraGdqaGJjdHJnbiZvcGVuaWQubW9kZT1jaGVja2lkX3NldHVwJm9wZW5pZC5ucz1odHRwJTNBJTJGJTJGc3BlY3Mub3BlbmlkLm5ldCUyRmF1dGglMkYyLjAmb3BlbmlkLm5zLnNyZWc9aHR0cCUzQSUyRiUyRm9wZW5pZC5uZXQlMkZleHRlbnNpb25zJTJGc3JlZyUyRjEuMSZvcGVuaWQucmVhbG09aHR0cCUzQSUyRiUyRmludGVyb3Auam9zZWZzc29uLm9yZyUyRiZvcGVuaWQucmV0dXJuX3RvPWh0dHAlM0ElMkYlMkZpbnRlcm9wLmpvc2Vmc3Nvbi5vcmclMkZnc2FzbC1vcGVuaWQyMC1ycC5waHAlMkY2YzkxY2E5M2ZjODkwNjVmNDlhNjhkY2NhMzQ4MmM2NWQ5ZTQxOGMzN2FjZmEyN2ZhOWZkNGM2NjdkZjE5N2QzJTNGamFucmFpbl9ub25jZSUzRDIwMTItMDMtMjhUMTglMjUzQTM1JTI1M0E0OFp4RDA4Ukomb3BlbmlkLnNyZWcub3B0aW9uYWw9bmlja25hbWUlMkNmdWxsbmFtZSUyQ2VtYWls
Proceed to this URL to authenticate using OpenID 2.0:
https://openid.yubico.com/server.php?openid.assoc_handle=%7BHMAC-SHA1%7D%7B4f7359c9%7D%7BjbvpZw%3D%3D%7D&openid.claimed_id=http%3A%2F%2Fjosefsson.org%2F&openid.identity=https%3A%2F%2Fopenid.yubico.com%2Fserver.php%2Fidpage%3Fuser%3Dekhgjhbctrgn&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.realm=http%3A%2F%2Finterop.josefsson.org%2F&openid.return_to=http%3A%2F%2Finterop.josefsson.org%2Fgsasl-openid20-rp.php%2F6c91ca93fc89065f49a68dcca3482c65d9e418c37acfa27fa9fd4c667df197d3%3Fjanrain_nonce%3D2012-03-28T18%253A35%253A48ZxD08RJ&openid.sreg.optional=nickname%2Cfullname%2Cemail
PQ==
now the server is waiting for you to finish the OpenID authentication.
You do this by opening the URL shown in your web browser and completing
the OpenID login. In my case, I use Yubico's OpenID server [3] to
authenticate using a OTP dongle, the YubiKey. The the server will
realize this and the gsasl output continues:
235 OK [authid: http://josefsson.org/ authzid: N/A]
Client authentication finished (server trusted)...
Enter application data (EOF to finish):
You have logged in to a SMTP server using OpenID authentication! Type
'QUIT' and hit return to log out.
I have tested this using Feide OpenIdP, myvidoop.com, and
openid.yubico.com.
The client side is trivial, if your application uses GNU SASL you just
add support for the GSASL_OPENID20_AUTHENTICATE_IN_BROWSER callback,
compare line 230+ of the callback used by the 'gsasl' command line tool:
http://git.savannah.gnu.org/cgit/gsasl.git/tree/src/callbacks.c#n230
The server side is trickier to setup because you need to have a OpenID
consumer listening and some IPC to talk to it. See the example SMTP
server linked to above for an example of how it can be done.
What do you think? Feedback is welcome.
/Simon
[1] https://tools.ietf.org/html/draft-ietf-kitten-sasl-openid
[2] https://lists.gnu.org/archive/html/help-gsasl/2012-03/msg00002.html
[3] http://www.yubico.com/openid-server
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- SMTP authentication using OpenID,
Simon Josefsson <=