Profile Exchanging

OpenID allows you to exchange profile data when authenticating. You may require the user to send an email, nickname, fullname, dob, gender, country, etc. In my attempt to exchange a nickname and email I changed the open_id_consumer requirements to

open_id_consumer :required => [:email, :nickname, :fullname], :optional => [:dob, :gender, :country]

For whatever reason, I had to include an additional attribute, such as (‘fullname’), in order for the open_id_consumer to request an email and nickname when authenticating on the open_id server. When I required just the email and nickname, the open_id server dropped my request for a nickname.

I added additional logic in the flex app and within the rails backend to process profile data. 

Minor additions + security issues

In addition to openid, we’d obviously like to let users log in with conventional usernames and passwords. I found a rails back end authentication plugin @ http://technoweenie.stikipad.com/plugins/show/Acts+as+Authenticated It is really easy to install and use. Now for the flex side. I choose to create a login button that popuped a titlewindow which contains a textinput box for a username and password. I also added an event listener on the password textinput box and another event listener on the submit button so that the user could either type in their username and password followed by the pressing the enter key or by clicking on the submit button. Both event listeners will fire off a http service request to authenticate with the rails backend. I had to modify the rail’s plugin’s login action to return XML data representing the result of the authentication attempt. The http service request result handler will parse the XML to complete the authentication.

There is a great article out there that integrates the openid plugin and authentication plugin. http://www.bencurtis.com/archives/2007/03/rails-openid-and-acts-as-authenticated/ I have yet to do this, both plugins are running in separate controllers. 

I wonder if there is a way to encrypt the username and password in AS3? It would be nice if I could authenticate without sending the data in clear text. 

In addition, my implementation of openid with flex requires that on load the flex application sends an http service request to the backend querying whether or not the openid authentication attempt succeeded. If we put on our hacker hats on, as my teacher likes to say, we could inject a HTTP packet into the flex application tricking the flex app to think it really authenticated with the backend. How can we defend against this? 1) we could use a salt value when attempting to authenticate. 2) Use SSL when authentication. These precautions probably won’t stop the attacker but it can certainly slow him/her down.

Finally…

So the solution I got working involved embedding the flex application into a rails view. I simply inserted the necessary code to display the flex app into the view along with an open_id form. The open_id form contained a single text input type. The form is used to facilitate open_id authentication.

Sequence of events: The flex application starts to load, on load completion the app fires an http service request to check whether or not the sesion has been autheticated. If not, the user may type in open_id_uri into a flex text input box, an event handler invokes the flex ajax bridge to populate the form behind the flex application with the open_id_uri and submits the form. The rails open_id consumer will process the request for authentication through redirects (if necessary). Once authenticated, a session value is created to indicate that the open_id_uri was authenticated and the flex application is loaded yet again. This time, when the app finishes loading and calls the authentication http service request, it returns true and the flex app changes state to authenticated.

 Logging out should be pretty simple. Create a http service request that resets the session. Don’t forget to change the flex state.

 I should be able to finish the iframe solution this weekend and maybe the popup solution if i can get some js help.

JS is killing me

Its been a few days since I wrote anything. Im probably going to forget some details

So as it turns out, I grabbed the wrong rails openid consumer plugin. The correct plugin can be found at http://identity.eastmedia.com/identity/show/Consumer+Plugin. The site also has a rails openid server.

I ran into issues trying to populating form data in a dynamically created window. The intended functionality was to have Flex open a new window with a text input form box. The text input form box was to be populated by Flex and then submitted to the rails backend consumer for processing. The idea here was to keep the flex app still while have the new window do the required redirects for authentication. After authentication, the window was supposed to send session data back to the awaiting flex application.

 I couldn’t populate the value of open_id_uri because I am an idiot

var newWin = window.open(‘/open_id/index’, . . . . )

function callByFlex(flex_open_id_url){

     newWin.document.getElementById(“openid_url_id”).value = flex_open_id_url

}

html: 

<input type=”text” id=”openid_url_id” name=”openid_url” style=”width: 200px” value=”” />

For whatever reason, newWin.document.getElementById(“openid_url_id”) returned null

I don’t remember if I created the window within callByFlex() because if that were the case, then it would make sense that the form wasn’t populated. The window probably didn’t get loaded before the next line of code got executed. One way to fix this would probably be to have a separate handler to open the window, and then have a JS event “onload” to make an ajax call to Flex to extract the openID_uri. This seems like a lot of overhead just to send an openID_uri.

Never the less, i’ll try it.

I came up with another idea, why not just embed the flex app right into the rails rendered html, so basically inject the js and swf files into the view of controlled actions.  This seemed to work fairly well because I could render the session into the view of the controlled action and use the ajax bridge to extract the session as soon as the flex app finished loading. There is however draw backs. First, if authenticating with openid, the window will redirect and the flex app will have to reload. Second, after authentication, the flex app will have to do an extra http service call to the rails backend to verify the authentication. I have yet to implement the extra http service call to the rails backend to verify the authentication.

Do I need to insert a salt value on the authentication verification?  

Day 2: Initially I was going to try to manage iframes with JS to allow the redirections for openID to occur. However in experimenting with iframes I quickly found out that IE7 completely jacks up iframes. New Plan! My new plan is to use JS to open a new window and authenticate through the popup and pass authentication back through Flex’s ajax bridge. Flex’s ajax bridge will allow me to communicate with the flex application through JS and vise vera. Its pretty cool stuff. Check it out: Flex Ajax Bridge

Complication: I’ve been trying to use Rail’s openID plugin But keep on running into this stupid error:

/usr/lib/ruby/gems/1.8/gems/actionpack-1.13.2/lib/action_controller/cgi_process.rb:139:in `method_missing’
#{RAILS_ROOT}/vendor/plugins/open_id_authentication/lib/open_id_authentication.rb:133:in `open_id_redirect_url’
#{RAILS_ROOT}/vendor/plugins/open_id_authentication/lib/open_id_authentication.rb:92:in `begin_open_id_authentication’
#{RAILS_ROOT}/vendor/plugins/open_id_authentication/lib/open_id_authentication.rb:76:in `authenticate_with_open_id’
#{RAILS_ROOT}/app/controllers/session_controller.rb:29:in `open_id_authentication’
#{RAILS_ROOT}/app/controllers/session_controller.rb:12:in `create’
/usr/bin/mongrel_rails:16

I am sure its something stupid, hopefully it won’t take too long to figure out.

OpenID + Flex + Rails ?

I start my quest to integrate OpenID into a Flex application powered in the backend by Rails. I have the slightest clue as to how, but with google behind me, I am sure it can be done.

What is OpenID? In a nut shell, it’s a way for users to authenticate themselves into websites using an URL. This ingenious concept will help alleviate the need for users to memorize dozens of user names and passwords for various websites. Check wiki’s definition: OpenID
What is Flex? Flex is a RIA (Rich Internet Application) building framework developed by those crazy guys at Adobe. RIA’s are the future of the internet. I can’t believe how many web pages out there are still being built in HTML. Check out what Flex can do for you: Flex Restaurant Finder(you will need Flash 9 player)

What is Rails? Rails is a web framework built on top of a sexy purely object oriented language. You can literally build a web application in Rails in less than 15minutes. It follows the MVC (model view controller) design to keep things clean. Check this craziness out: Build Rails Blog

Current Issues:

How do you allow HTTP redirects within a Flex application without losing state? Maybe use javascript to do the redirect and then use the Flex/JS bridge to send control data back to the Flex application. Is this even possible? I hope so.