Apache HTTPd OpenID Access Control ================================== This is a library that you can use with Apache HTTP Server [1]_ and mod_python [2]_ to enable OpenID access control to web resources. What is OpenID? --------------- OpenID is a decentralized identity system. It allows you to prove your identity to a site by proving that you control a particular URL. You can learn more about OpenID at http://www.openidenabled.com/ and http://openid.net/ What is mod_python? ------------------- mod_python is an extension that embeds a Python [3]_ interpreter in the Apache HTTP server. How do I use this library? ========================== Installation ------------ 1. Install Apache, Python, and mod_python. Most Linux distributions should have packaged versions of these. If you use a hosted Apache server, ask if your host supports mod_python. If you are looking for Web host, try a host that supports mod_python [4]_. 2. Once you have verified that you are running in Apache with mod_python, get the JanRain Python OpenID library [5]_. Install it and make sure that you can import it from a Python interpreter:: >>> import openid 3. Run "python setup.py install" to install this library. Configuration ------------- To configure OpenID access control, you will need to decide: 1. Where to redirect the user to present them with a login screen 2. Which users should be authorized for this content The default setup for this module works best for protecting an entire directory on a Web server. When using this configuration, you should be able to just modify the example configuration below. When you're using this default configuration, the location of the login screen will default to the path "openid" in the directory that you put the PythonAccessHandler directive. (2) is up to you. You'll need to get a list of those URLs, separated by whitespace. You can either put them in the Apache configuration as the value for the PythonOption authorized-users directive or in a file that is pointed to by the PythonOption authorized-users-list-url directive. Example .htaccess file ~~~~~~~~~~~~~~~~~~~~~~ Most of this example .htaccess file can be used directly in a block in any part of Apache configuration. Example config:: # This directive tells Apache to check for OpenID authentication # before continuing to serve the request. PythonAccessHandler mpopenid::protect # This directive tells the protection code which identifiers should # be allowed to access these resources. The format of the data is a # text file containing the identifiers. It can be any URL that is # accessible to this server, including a file:// URL. PythonOption authorized-users-list-url file:///my/directory/allowed-users.txt # You can also add authorized users inline in the apache config PythonOption authorized-users "http://me.example.com/ http://you.example.com/" # If you use both kinds of authorized user directive, both lists of # users are combined into a single list. # This is the part of the configuration that handles the # login. Unless you have a good reason to do otherwise, you should # be able to use this block verbatim. SetHandler mod_python PythonHandler mpopenid::openid Advanced Usage ~~~~~~~~~~~~~~ If you have different resources that you are protecting with the same Apache configuration, you can use a single login page with all of them. To do this, you'll need to add a PythonOption action-path directive to each of the protected resources that points to the OpenID login handler. For example, Alice has two directories, one "private" and one "friends." She can set up one URL to handle OpenID login and then set up each of the other directories separately:: PythonAccessHandler mpopenid::protect PythonOption authorized-users "http://alice.com/ http://bob.com/" PythonOption action-path "/openid" PythonAccessHandler mpopenid::protect PythonOption authorized-users "http://alice.com/" PythonOption action-path "/openid" SetHandler mod_python PythonOption action-path "/openid" PythonHandler mpopenid::openid By default, the OpenID library will use stateless mode rather than storing secrets on your local system. This comes at a minor performance cost that should not be noticeable in most circumstances. Most people will be better off with the default. If you have a safe place to put the data, you can use a filesystem-based store. To use a filesystem store, create a directory to hold the OpenID secrets. Add "PythonOption store-type file" and "PythonOption store-directory " to the configuration for the OpenID login handler (the mpopenid::openid URL). HELP!!! ======= If you're having trouble getting things working, you can get help from: :irc: freenode.net channel #openid :e-mail: dev@lists.openidenabled.com Don't hesitate to ask! Dependencies ============ Compatibility: ======================= ============== ====================== Component Tested Version Expected Compatible ======================= ============== ====================== Apache 2.2.2 2.0.X - 2.2.X mod_python 3.2.10 3.X.X Python 2.4.4c0 2.2.1 and up JanRain Python OpenID 1.1.1 1.0 and up ======================= ============== ====================== License ======= This is Free Software, under the terms of the GNU GPL. See COPYING for details. .. [1] http://httpd.apache.org/ .. [2] http://www.modpython.org/ .. [3] http://www.python.org/ .. [4] http://code.djangoproject.com/wiki/DjangoFriendlyWebHosts .. [5] http://www.openidenabled.com/openid/libraries/python/