Down and dirty with OpenID

I’ve spent the last few hours (after getting home from a swift pint in the pub admittedly) having one of those satisfying coding experiences where the dots just start joining up… I took the very nicely written OpenIDenabled PHP library and bolted it on to the authentication routines for PROD.

The technical principles behind OpenID are simple enough: the user tells your application their openid URL, the app asks the relevant provider if everything is ok, the provider comes back and tells the app a whole bunch of stuff saying that the user is kosher (or halal or whatever it says in their profile).

The latest version of the toolkit made this a breeze – coming as it does with working examples and very well documented code. Most of the work was putting in a few new hooks in my authentication script to catch both ends of the transaction, copying and pasting some code from the example scripts to create the consumer object and set it flying and finally catching the response at the end and telling my application that the user is now logged in.

As with most quick work there is still quite a bit tidying up to do – particularly around how I associate existing users in the LDAP directory with their OpenIDs… At the moment I’m just not bothering. Useful error messages would probably be a good idea too! Testing it with a few different providers is also a must.

One gotcha I discovered was that at some point the exact recipe for doing Delegation must have changed and that the library is more fussy about this than other implementations I’ve seen and used. When testing using my own domain’s delegation which I’ve had set up for years it was consistently failing. This is not good news as there are probably thousands of people who still have it set up exactly as I did…

Another (Ubuntu specific) issue was that it was failing to authenticate against yahoo’s service because I was missing some bits of openssl… This was fixed with a quick sudo apt-get install openssl ca-certificates

Now I’ve had a few brushes in recent months with OpenID mainly around the web provision for the XCRI project – where we got OpenID working across WordPress, Mediawiki, and (through some rather cheap hacking) BBpress. It was however reliant on plugins for said apps and never really a very satisfactory experience – generating a long string of complaints from users getting very variable results depending on which provider they were using. Upgrading any particular component of the site seemed to just lead to more chaos.

Sadly I think that these variable experiences do rather detract from the potential that OpenID has to help us all better manage our online identities. That and the insistence of so many “providers” like Yahoo! and that they are just that, providers and not consumers. I’ve already got about 6 OpenIDs on the go without really realising – useful for testing but the exact opposite of the single authentication service goal. Tsk tsk.

Anyway… Now that I’ve actually tackled the problem at a slightly deeper level I’m feeling confident that over time we can not only iron out XCRI’s woes but also introduce OpenID across the JISC CETIS (and IEC) services in a reasonably robust way. The future looks rosy, the sky is blue, thunderclouds? What thunderclouds?

You have permission

The CETIS blogs had a requirement (from day zero) that all the contributors should be able to see each-others “private” posts. The idea behind this is that blogs can be used for internal reporting and chat within the organisation at the same time as being used for public work.

I had scratched my head and tried a whole range of plugins for wordpress-mu to try and achieve this however nothing quite did what I needed. The closest was the Role Manager plugin however it didn’t work with wordpress-mu… and after I had spent a quantity of time trying to get it working I realised that roles were assigned to users on a per-blog basis rather than globally. It’s a shame as a roles and capabilities based solution had sounded reasonably elegant.

Today I work up with the resolve that I should just take matters into my own hands and make a small plugin of my own design to force wordpress-mu into doing what I wanted. Well actually I started with a direct hack on the source and then thought better of it and wrote a plugin instead! It manipulates the main wordpress query (as found in “query.php”) force-bypassing the user capability check.

I also gave the plugin the option of showing private posts in un-authenticated outgoing news feeds – for the sake of sanity this is limited to post titles and urls. To do this you have to append ?showprivate=true to the feed url.

It even has a rough administrative interface allowing the private feeds and posts to be turned on and off.

Download the source code

Fitting LDAP to WordPress-mu

One of the major bits of infrastructure for the new CETIS websites is a WordPress-mu based blog server. The point of this being that everyone in the organisation gets to have their own blogs and thereby feed the general production of cetis news through what they write in said blogs. Look I’m doing it now! Enough with the meta-blogging though. The serious technical challenge was to integrate WordPress-mu with our LDAP directory so as to give staff rights to sign on using their standard password and create as many blogs as they each fancy. WordPress of course doesn’t quite do this out of the box but I’m not the first person to try this.

It being a small world, Alistair Young from UHI made this plugin for WordPress 1.5 Pat Cavit took it onward somewhat and then William Gray did some some more work taking it to 1.5.2. Of course this is all single-user WordPress, a year-old (WordPress is up to version 2 now) – and inevitably mu is slightly different again….

These efforts now seem to have coalesced into a single WPMU plugin – available at:
I’s suggest that people start with that stuff.

So I took some code – I think it was Pat Cavit’s and started working. As with many system integration projects I started out being hopeful that it would just work. It didn’t. Then I thought perhaps there was a nice clean way it could be hooked in. I couldn’t see one. Then I thought I’ll just step myself through the code and hack it into place. This approach paid off and we now have a working installation.

And it works a treat. CETIS staff can now go to and sign themselves up. A user entry is created in the wordpress database – used for keeping profile information and so that the rest of the tables have a user id number to key to – but the password is always queried from the directory. With this done, the user can create as many blogs as they jolly well like. Pretty good if you ask me.

The modified files are:

And some new files added:

Once the dust has settled on on the servers and everything here at CETIS is properly behaving I’ll spend some time re-factoring and trying to get my work in line with the likes of Alistair, Pat et al. for both WP2 and WPmu.

MEANWHILE due to popular demand here is a zip file of the work I have done so far:

From a wider point of view having this kind of plugin available should be a boon to system administrators of organisations large and small looking for a nice reliable blogging solution which they can roll out to a whole bunch of users without having to create yet another authentication nightmare. Great!

CETIS Site Redevelopment: A proposal

CETIS (Custom PHP)
Mainly: A lightweight aggregation of the various blogs
Events aggregation

CETIS Blogs (WordPress-µ)
Individual (and group) blogs for all cetis staff members
Also includes general contact info for public use, staff profiles etc
Items may be public or internal-only or private
Items can be associated with the relevant Community and/or Team
Items may be elevated to front page status.

CETIS Communities (MediaWiki)
A big wiki for the SIGS – covering specs
Can be contributed to by sig participants

CETIS Events (Custom PHP??)
Events/calendaring – single click sign-up for registered users!
Covers Public Cetis events, registration
Private CETIS calendaring
Aggregated events from elsewhere

CETIS Intranet
Internal groupware – work planning, project management
TEAM views of what is going on – team blogs
Private wikis? (MediaWiki)
Staff management
Events/calendaring (again)
Control centre for it all…

Other requrements
Common authentication!


A blog, a wiki, a tracker, a subversion
TRAC and Subversion and WordPress?
Or they do it themselves

Based on my database??
Tracks all the projects and aggregates their blogs
can be contributed to by members
Tracks standards used
Full-on doap support

Implications for old sites

Move to new structure
Deal with old content –
redirections and THIS IS OLD messages

mostly archived
Framework moved into big e-framework
PROJECTS and so forth moved into hosted stacks
and/or project/software/standards directory

elearning Focus
Move to wordpress/wiki
old articles to be moved

Technorati Tags: