Persona Identity Provider
Go
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
auth
persona
.gitignore
LICENSE
README.rst

README.rst

Persona Identity Provider

A Persona Identity Provider (also known as IdP).

Allows logging in to Persona-enabled sites with an email address hosted using your own server.

How does it work

The code assumes you have a MTA running on your server that accepts email for your domain. When provided with a login and password, it will authenticate users by logging in ot the MTA over SMTP.

Imagine your email is bob@mydomain.com. You have a MTA running on mydomain.com (for instance Exim) that you can log into using bob@mydomain.com as the username and s3cr3t as the password. When you open a Persona-enabled site, the following will happen:

  • the support document will be loaded from https://mydomain.com/.well-known/browserid (this document is generated by the IdP daemon)
  • your browser will load the provisioning document from https://mydomain.com/persona/provisioning/ (included with this code)
  • if the IdP daemon determines you have a valid session on mydomain.com you will be logged in to the site - you're done!
  • if not, you will be redirected to the login document at https://mydomain.com/persona/login/ (also included with this code)
  • after entering your SMTP credentials, the IdP daemon will try to authenticate to the MTA
  • if successful, a session will be created by the IdP daemon
  • the Persona-enabled site will then log you in

The daemon provides four endpoints:

  • /browserid that returns the BrowserID support document
  • /has-session/ that checks if you have a session open
  • /login/ that handles validating credentials using SMTP and creating a session if successful
  • /certificate/ that creates a certificate proving that your browser can act on behalf of the user you're authenticating as

Also included in the code are two simple HTML pages with the Javascript code necessary for the whole process:

  • /persona/provisioning/index.html
  • /persona/login/index.html

For more about the BrowserID protocol, see the Developer Documentation

Usage

Generate a RSA key in PEM format:

ssh-keygen -f /path/to/key -t rsa -b 2048

Create an SQLite database for sessions:

sqlite3 /path/to/db 'create table sessions(session_id text primary key, email text, expires int)'

Install the SQLite driver dependency:

go get github.com/mattn/go-sqlite3

Build the IdP daemon:

go build auth/idp.go

Assuming your email is bob@mydomain.com and the server you are using is mydomain.com, start the daemon:

./idp -cert-issuer mydomain.com -private-key /path/to/key -session-db /path/to/db

Configure your HTTP server to proxy certain requests to the IdP daemon. Here's an example snippet for Nginx (remember you need a valid SSL certificate):

server {
    listen 443 ssl;
    server_name mydomain.com;

    location /persona/ {
        index index.html;
        alias /path/to/persona-idp/persona/;
    }

    location /.well-known/ {
        proxy_pass http://127.0.0.1:8080/;
    }

    location /persona/auth/ {
        proxy_pass http://127.0.0.1:8080/;
    }
}

Make sure your MTA allows plain text logins when connected from 127.0.0.1.

You are now ready to try Persona. Go to any Persona-enabled site (like http://123done.org/) and try it out!