Adding OpenID is easier than you think

by Michael McClenaghan 2007-06-28

Keys

I just got finished adding OpenID to my sideline application. Truth be told, I'd been putting this off for a month or so because I figured that it would be a real pain. But after a couple of hours I was pretty much complete and at the point where I started to goldplate.

The first step was to install the RESTful OpenID Authentication plugin. For Piston users, that's as simple as typing the following:

[code]piston import http://svn.eastmedia.com/svn/bantay/plugins/trunk/restful_open_id_authentication vendor/plugins/restful_open_id_authentication[/code]

For non-Piston folks (why aren't you using Piston?), just install the plugin like normal:

[code]./script/plugin install http://svn.eastmedia.com/svn/bantay/plugins/trunk/restful_open_id_authentication[/code]

Once you've got that installed, all you need to do is run the generator and add a few routes to your routes.rb. Give the README a quick glance to get the detail for these steps.

One of the first things that I noticed about the generated code is that it's definitely designed for a site that uses its own authentication system in addition to OpenID. Since all I want to do is use OpenID, I started getting rid of all the extra code.

That's when I remembered the RESTful part of the plugin's name and wondered "how do they do an authentication when the app's API is called via XML?". That is, what happens if there isn't a nice login screen that will redirect to an OpenID provider and supply me with a lightweight authentication? The answer, of course, is obvious: I have to roll my own authentication. That means that all the code that I just removed will be needed again if I want to authenticate non-HTML requests.

While I don't like the idea of a dual-authentication system, it seems pretty common out there. For example, Google authenticates your requests with an API key even though you already have a username and password with them. I suppose that what I'll end up doing is have existing users register for a username/password if they want API access. That means that most users will only ever need the OpenID authentication and the username/password will be reserved strictly for the API.

If you haven't tried OpenID (or created your own account), I highly recommend that you do it. And I'm not alone - 37 Signals just put up a special page to explain why OpenID is a good thing. Check it out!

I'll post some follow-up info on the goldplating that I did to customize the forms and take advantage of something called the Simple Registration Extension.

from Articles

I'm Michael McClenaghan and I run Sideline Consulting Inc., a consultancy based in Edmonton, Canada. You're reading Sideline, a site that documents my journey in software development over the past few years. I spend my time consulting with organizations that want to get better at developing software. While most people think I'm crazy, I seriously get my kicks helping software teams in chaos. You should hire me!

In addition to consulting, I run Agile Edmonton, a user group that holds free, monthly presentations for anyone in the Edmonton area that's interested in learning more about how agile methods can help their software team.

blog comments powered by Disqus