FAS-OpenID launched

Last week, my first big open source project has finally gone live: FAS-OpenID, the new OpenID provider for the Fedora community

While the core of the system has been written in just two days, during FUDCon, getting it ready for release from there on has been quite a daunting task.
Sometimes the high availablility proxy would silently drop the request, sometimes the used library would not encode the information correctly, and other times it had been just me to blame, but my hands have been in my hair quite a few times.

But I think the end result is worth it: we now have a fully OpenID conformant identity provider with a few extensions implemented to make it even more usable, both for the community and the Fedora infrastructure.

Why rewrite?

So you are probably wondering yourself: "Why on earth would you rewrite from scratch a service that has been running for over four years without any problems?".
I think this is a perfectly valid question, and it is one which I asked myself numerous times as well.

One of the reasons was that the old implementation, which was codenamed samadhi-openid, had some issues regarding its published discovery information, and had some other serious issues, amongst which where one or two serious security issues.
Another reason for rewriting is that we, as the Fedora Infrastructure team, are trying to decouple some of our services, as a number have become too bloated to be maintainable, and this was the perfect oppurtunity to start with this decoupling.
Also, samadi-openid lacked some features we needed for the future, and it would have been a pain to implement them.

Mainly because of these reasons, we decided to completely rewrite it.
The rewrite also has another major advantage: the re-usability of the code base for other people or projects had been practically none.
Although I know that the current one is still coupled to the Fedora Account System, this will be resolved in a new release, sooner rather than later, after which it will be pretty useful for others.

The features

So, I have come to rewrite the complete code base from scratch, and this gave me the opportunity to include some features that were not present in samadhi-openid.

The first and most important one being that FAS-OpenID is fully OpenID 1.0, 1.1 and 2.0 compliant, and thus should be usable to login to any website that supports OpenID logins.

Also, FAS-OpenID provides some extensions to make it more usable for both the community and the Fedora Infrastructure team.
One of the first extensiosn to be implemented, which was the only one available in samadhi-openid, was the Simple Registration module, providing the full name and email address of the user to the website they are trying to login to (off course only after asking permission of the user).

But when I was implementing this extension, I started wondering what more we could do with FAS-OpenID, and discussed this with the rest of the Infrastructure Team.
We came to the idea that it would be pretty useful for all Fedora Infrastructure services that require authentication to move to OpenID authentication, both to decouple them from the Account System and thus also make them more easier to adopt by others.

For this, we required some more extensions to provide all the information we needed to the services that need them, like an extension to communicate what groups the user is a member of, or to find out if the user signed the Fedora Project Contributor Agreement.

It had been a challenge getting all extensions in and working, but I managed to do so, and version 0.6.6 was named 1.0.0 on 05-03-2013, marking the first release of FAS-OpenID!

So what now?

Now that FAS-OpenID has been released, I am done and will stop working on the Fedora Infrastructure Team, right?
Well, quite the opposite: I only got more projects out of it.

For starters, we want to modify our current services to use the FAS-OpenID system as authentication, and I will be working with the rest of the team to make this happen.
Another next project of mine is going to be FAS-OAuth, to also seperate the authorization and delegation layer, which will be an even bigger project.

So to round up: FAS-OpenID has been released, and I only got more projets from it.
Things like this make you feel valuable for the community :).

More info

For more information regarding the OpenID protocol or the extensions implemented in FAS-OpenID, you should refer to the Fedora classroom I gave a little while back on this subject.

For information on using FAS-OpenID, please refer to the announcement.

Feel free to email me at patrick@uiterwijk.org for any questions or feedback, or to respond in the comments section below!


GPG encrypted loopback disks