Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

A plugin for SASL enabled clients or servers to use BrowserID authentication

branch: bug700456

This branch is 0 commits ahead and 12 commits behind master

Fetching latest commit…

Cannot retrieve the latest commit at this time

README.md

SASL BrowserID

SASL BrowserID is a new SASL mechanism.

Who da what?

SASL stands for Simple Authentication and Secruity Layer. It is a standardized API for re-using authentication mechanisms.

BrowserID is an open web standard for providing a verified email address to websites for authentication.

This project aims to provide a plugin written in C for the popular CMU Cyrus SASL API Implementation. This can be used by:

  • OpenLDAP directory server
  • Email servers (CMU, postfix, etc)
  • ??? Tell us other use cases!

Status

Not ready for prime-time.

This codebase is roughly the happy case, but needs much <3.

We'd love your help!

  • C Hackers
  • Make Masters
  • Cross-platform Funsters

Security Notes

  1. Don't use this in a production system.

  2. Make sure the client and server applications recognize and block unknown email addresses!

Quick Start

vagrant up
vagrant ssh

If you have vagrant install, this will give you a fully working setup to play around with or hack on.

Otherwise...

Requirements

This plugin is under development on i686 Ubuntu 10.04 with:

  • Cyrus SASL 2.1.23
  • OpenLDAP 2.4.23
  • libcurl
  • yajl 2.0.2
  • MySQL client libraries for C

Ubuntu Tips

1) sudo aptitude install ruby cmake automake libcurl-dev libmysqlclient-dev libsasl2-dev libcurl4-gnutls-dev

ruby and cmake are only needed to compile yajl.

automate is only needed to compile sasl-browserid.

2) Compile yajl

We want yajl 2.0.2 or greater, which most distros haven't packaged.

wget http://github.com/lloyd/yajl/tarball/2.0.2 -O yajl-2.0.2.tar.gz
tar zxvf yajl-2.0.2.tar.gz
cd lloyd-yajl-g5b0e7df
./configure
sudo make install
ldconfig /usr/local/lib

Install SASL-BrowserID

Assuming you have the requirements installed, you can:

./configure
make
sudo make install

This will create libbrowserid plugins under /usr/lib/sasl2

Details can be found in the INSTALL doc or

./configure --help

Setup MySQL Session

$ mysql -uroot -p
mysql> create database sasl_browserid;
$ exit
$ mysql -u root -p sasl_browserid < configs/browserid_session.ddl

Sanity Tests

The following are ways to test this plugin.

For all of the following tests, it's best to

sudo tail -f /var/log/auth.log

When prompted for an Assertion and Audience, use browserid_debug.html and a local webserver. Example:

Assertion: eyJhbGci...blah...blah...2mtVg68723mlBPAQds_bPsG8mllYg
Audience: localhost:8001

There are 3 ways to test, pluginviewer, slapd, and sample program.

pluginviewer

Note: On some systems this is called pluginviewer.

sudo saslpluginviewer

Do you see BROWSER-ID in the list of SASL client and server mechanisms?

OpenLDAP (slapd)

Setup:

sudo cp configs/slapd.conf /usr/lib/sasl2
# restart slapd
cd test/www/
python -m SimpleHTTPServer 8001

Each time

# request http://localhost:8001 in your browser and do BID login flow
A=eyJjZXJ0aWZpY2F0ZXMiOlsiZXlKaGJHY2...some_real_assertion_ekdNeGhGM05CM3diUXV6UzC
ldapwhoami -Y BROWSER-ID -I -X $A -U 'localhost:8001'

Sample client and server

If you've compiled SASL's sample/client and sample/server programs...

sudo cp configs/sample.conf /usr/lib/sasl2
cd ${SASL_SRC}
./sample/server -p 8089 -s testing -m BROWSER-ID
./sample/client -p 8089 -s testing -m BROWSER-ID localhost

License

plugins/plugin_common.c and plugins/plugin_common.h are copied from CMU's Cyrus SASL distribution. They are copywrite CMU and licensed per file. See files for details.

The rest of this codebase is original and Copywrite Mozilla Corporation 2011. A License is TBD.

We'll pick a license that works well with Cyrus SASL distributions and balances other factors.

Something went wrong with that request. Please try again.