Nov 29, 2005
Introduction
This article releases code and documents a working mIDm application. The attached file, new_login.cgi, can both accept mIDm logins and can act as an identity server for people wishing to use mIDm.
As a reminder, here, basically, is how mIDm works:
- A user tries to access a page on a service to which a login is required.
- The service obtains the user's mIDm server location from the user's browser header
- The service redirects the user to the user's mIDm server along with a secret code
- The user logs on to the mIDm server (typically using cookies) and stores the secret code on the mIDm server
- The mIDm server returns the user to the service
- The service then independently checks the mIDm server to see whether the code has been stored
- The mIDm server returns the code and requested user information to the service
- On receiving the code, the service is satisfied, and proceeds to log in the user
I'd like to say this is simple, but it isn't really, though this is probably as simple as it gets.
Trying Out mIDm
If you would like to try it out, the easiest way is to create an account, obtain an mIDm server location, install it in your browser, then access a new site.
- Create an account
An mIDm server has been set up here: Downes.ca.
If you already have an account on downes.ca, go to the Options page (you may be prompted to login first). You will find your mIDm address at the bottom of the page.
Otherwise, register as a new user. The website will send you an email telling you the address of your mIDm server. - Store your mIDm server location.
There is still no easy way to put your mIDm server location in your browser header (to see how it is done, click here and follow the instructions). - Access another website
Nothing to it. Point your browser to NewsTrolls (this site is used because it is completely separate from my own website) and watch as the website automatically logs you in.
Installing mIDm
If you have tested mIDm and found that it actually works for you (hey, this is development software!) you may want to install it on your own site. mIDm is designed to be relatively simple to install, however, it still requires a bit of skill. Essentially, you need to: get a website that supports Perl, find or set up a MySQL server (to hold user identities), run some SQL on the MySQL server, edit and store a configuration file on your server, store the mIDm script on your server.
- Get a website that supports Perl
Most web servers support Perl. mIDm was built on a Linux system with an Apache server; other systems should work, but no guarantees. mIDm requires the following Perl modules to run: CGI, Apache::DBI, XML::LibXML and LWP::Simple. These are very basic Perl modules, and if your site has Perl, it should have these. If not, you will need to install them (or have your server administrator install them).
I have deliberately kept the use of modules to a minimum. There is nothing more frustrating than trying to run scripts that fail because they require obscure Perl modules. - Find or set up a MySQL server
You can obtain MySQL here. But it is a lot easier if you can access an existing MySQL installation that you can use. Most ISPs provide MySQL as part of their basic package. If you can, create a new database on MySQL (call it whatever you want; just remember what you call it). Or you can even use an existing database, provided it does not already have the following tables: person, subscription, template. Anyhow, however you do it, you will need the MySQL address (or 'localhost', if it's on the same machine as your script), database name, database user, and database password. - Run some SQL on the MySQL server
You need to run this SQL in order to create the tables used by mIDm. Strictly speaking, you only need the 'person' table, but the script I will be providing also manages email subscriptions and so running the rest will prevent any errors (the email subscriptions are a bonus; they are not really part of mIDm).
Here is the SQL you need to run: midm.sql - save it and run it as a file, or copy it and paste it into (say) phpMyAdmin. - Edit and store a configuration file on your server
Get a typical configuration file here. Open this file in your editor. It is pretty self-explanatory. The important things to change are the database variables (db_name, db_host, db_user, db_pass) that you obtained from the installation of MySQL. You will need to set your cookie host (co_host) properly as well - it should be your website URL, without the 'www' (for example, on my site, I have set this to: downes.ca ). If you want your site to send mail properly, make sure em_smtp points to your email program (I point to sendmail, but many sites point to, say, /usr/bin/sendmail ).
Once you've edited your configuration file, save it as: midm.conf and store it on your server. By default, this file goes into the same directory as your mIDm script (usually the document root, so site cookies work everywhere on your site) but you can put it anywhere you want (like, say, a secure directory), so long as you edit the mIDm script to point to the correct location. - Store the mIDm script on your server
This script should run out of the box. Place it on your server and chmod it (775) to allow the server to execute it as a script. Typically, you would place it in your document root (the same place your home page is located). If it doesn't run, make sure that the first line ( #!/usr/bin/perl ) points to the correct location of Perl on your system. To try it out, point your browser to new_login.cgi (if your website is http://www.mysite.com then mIDm will be at http://www.mysite.com/new_login.cgi ).
An administrator account has already been set up in the SQL. UserID: admin password: admin The first thing you should do is log on as admin and change the password.
Using mIDm
Once you've installed (and presumably tested) mIDm you'll find you can't do much with it other than manage user IDs. If you are simply using it as an identity server, that's all you have to do. But if you want your website applications to support mIDm, then you'll need to incorporate the mIDm login system into the applications.
My scripts use a function called get_person() to do this. Basically, get_person() checks the user cookies to see whether the person is logged in. If the person is logged in, it checks the login against the database information. If any of this fails, the person is redirected to the login script. If the login succeeds, then the user information is placed into the 'person' hash (for example, the user's name is found in $person->{person_name}.
If you use Perl scripts, you can use mIDm as a login very simply. Obtain get_person.pl and edit it so that it points to your login script location. Then store get_person.pl in the same directory as your Perl scripts. Then, at the top of your Perl script, place the following lines:
require "get_person.pl";
our $Site = {}; bless $Site;
&get_site($Site,"cgi-bin/data/midm.conf");
my $dbh = &db_open("DBI:mysql:$Site->{db_name}:$Site->{db_host}",$Site->{db_user},$Site->{db_pass}) or die "Database connect error: $!";
my $query = new CGI;
our $person = &get_person($dbh,$query);
This will verify the user, send the user to a login script if the logon fails, and provide you with user data if the login succeeds.
After that, use the user information the way you would normally.
mIDm and OpenID
You may have seen LiveJournal's elegant OpenID system. It is a system that works on some very similar principles. However, it does not support the placement of the mIDm server location in the browser header, and it passes information differently.
It is my intent to make OpenID and mIDm compatible. This is an ongoing project.
For an Open ID system to work, it has to be drop dead simple to install, and that is my first priority with mIDm.
Future Work - What You Can Do
This release completes my basic development of mIDm. From this point forward, work will proceed in three major directions (hint: these are things you can do):
- Upgrades - I won't promise that mIDm is hack-proof, but it's not bad. Even so, some tweaks may be necessary to make it less of a tempting target. Releases will be announced on the main mIDm page.
- Browser Plugins - still some work to do here.
- Server Plugins - a system like mIDm won't work unless there are widely available plugins for popular content management systems such as Drupal or Wordpress. This is also future work.
Finally - the question needs to be asked: will the world one day use mIDm?
Probably not. What I have offered here is first and foremost a demonstration system, intended to illustrate the concept through code. But I'm not trying to make a business or enterprise out of it.
Here's what will happen, though. Something like mIDm will be widely adopted. It will be adopted because it's robust enough to work, simple enough to be widely accepted, and distributed enough to satisfy user concerns about security and privacy.
I will try to keep mIDm consistent with such developments (hence my ongoing efforts to align with OpenID) and to, in my own way, point the way forward for such initiatives.
