Passage: Tiny OpenID Provider

Passage is an OpenID provider, which can serve several goals:

  • Personal, tiny-smart-hackable, OpenID provider.
  • OpenID provider test server.

Here are some scenarios that Passage might help you with:

  • You have an internal / sandboxed / restricted environment, as a test server
  • You don’t really care about providing your real ID to a web site.
  • You wish to remain completely anonymous.
  • You wish to implement your own authentication strategy (finger print, cell call)
  • You wish to have full control over your identity and registration detail
  • You want several identities
  • .. The list goes on..

Quick Start

Passage can be used both as a gem, or as a deployable web (rack) app.

As a personal gem:

    $ gem install passage
    $ passage --ids myids.yml --auth pass_through

Or deploy it:

    $ git clone https://github.com/jondot/passage
    $ export PSG_IDS_FILE=myids.yml
    $ cd passage
    $ rackup

Thats it!

If you’ve noticed, you’ve specified an identities file and an authentication strategy. Passage will load your identities from the file and will auto discover all of your authentication strategies and load the one you’ve selected. Lets discuss these quickly:

Your identities (identities.yml)

    $cat identities.yml.example
    'http://localhost:9292/ids/foo':
      email: foo@foo.org
    'http://77.127.240.49:9292/ids/foo':
      email: foo@foo.org
    'http://77.124.212.222:4567/ids/pookie':
      email: goo@goo.org
    !ruby/regexp /http:\/\/localhost:4567\/ids\/(.*)/:
      email: '#{$1}@foo.org'
      nickname: '#{$1}'

This is a basica YAML file with a twist: The line starting with !ruby/regexp is a proper regular expression with a capture group. The OpenID SReg fields following it (email, nickname) are using the capture group in order to have their own values without your intervention. You can identify these as being plain ruby interpolated strings.

Authentication Strategies

the auth folder holds authentication strategies. An authentication strategy answers to the following:

1
2
3

def auth_setup(req); end
def auth_fetch; end
def auth_validate!(identity, trust_root); end

If you’d want to make your own authentication strategy, a good starting point will be to copy-paste an existing one and tweak it to your use. Authentication strategies are auto-discovered, so just drop your folder in /auth, and configure your selected one via configuration. An example authentication strategy would be one that would present a user/password form and store credentials at the DB. If you think about it, that will “upgrade” your Passage instance from a personal to a full fledged OpenID server.

Here is a description of the existing authentication strategies

  • pass_through - Lets authentication always pass. No need for any credentials or so.
  • pass_phrase - Authentication will pass only if a proper pass phrase was specified.

As a Personal OpenID Provider

You can have your fixed identities at your domain, or even throw-away identities.

To set fixed identities in your domain, simply code them up in your identities.yml file and let passage know about it.

Using throw-away identities can maximize your anonymity around the Web. To have throw-away identities you can specify any identity you wish in your identities.yml manually, or specify a smart rule as a regex identity:

1
2

!ruby/regex /http:\/\/mydomain\.com\/ids\/(.*)/:
  email: 'myuser@gmail.com'

This will let you specify any user you wish to make up, at your domain.

As an OpenID Test Server

Passage is great (and being used internally) for integration tests against OpenID consumers (relying parties). Through Passage’s identity configuration system, you can load up fixed identities per test scenario, or you can load identities which follow certain rules (with regex enabled identities).

As an example, you can store as fixed identities in your dev environment:

1
2

'http://dev.com/ids/foo':
  email: foo@dev.com

Or, you can store the following if you have many dynamic users:

1
2

!ruby/regex /http:\/\/dev\.com\/ids\/(.*)/:
  email: '#{$1}@dev.com'

This makes use of regex enabled identities, in which you specify a regex as the user identifier, and any SReg property can make use of the captures that were made.

Conclusion

Passage aims to be a tiny but smart OpenID provider – one that you can easily tweak and customize.

I’m using passage mainly to stub out a provider in automated GUI tests, while in some projects I have to mimick a different OpenID provider behavior. I must say Ruby is a hugh enabler of giving me the ability to make quick changes and go on with my main goals.