OpenID for Firefox4

I created an addon for Firefox4 that learns your OpenIDs when you use them.

The addon then asks you whether it may store the discovered openid (claimed_id) shown here at the identity commons site:

Another thing the addon does is that it allows the site to query the DOM for your preferred openid:

This is the source code of the last page:
<html><head><title>JavaScript-Test</title>
<script type="application/javascript">
 function start() {
   try {
    window.openid.getPreferredOpenidProvider(function(preferredOpenidProvider) {
  var p = document.getElementById("id");
  p.textContent = preferredOpenidProvider;
});
   } catch(e) {alert("exception="+e);}
  }
</script>
</head><body>
<form><input type=button value="Start" onClick="start()"></form>
<p id="id">openid</p>
</body></html>

The addon then asks the user for her consent to provide the openid to the site:

Clicking the openid urlbar icon inserts the openid to an appropriate input field on the page. If the addon did not learn an OpenID in the past it opens the OpenID Foundation's "Get An OpenID" page"

Google's openidsamplestore does NOT put an id or name on the input fields making it impossible for the addon to determine the correct input field. Shame on you Google! You can drag the OpenID urlbar icon to the correct field to insert your OpenID into the field.

 

The addon works on Stackoverflow too:

Get Firefox4 now and please try out this new addon!

Firefox Personas and openinfocard

If you have personalized your Firefox with Personas then your openinfocard selector window now shows the same background image.


Which is nice and a security feature too. A malicious website could try to create a window that looks like your favorite openinfocard selector but the website does not know how you personalized your browser. So if your card selector window does not show the same background image as your browser then something is phishy!

Get the current (xmldap-0.9.9.201002251149.xpi) version of openinfocard now!

Did I say that openinfocard runs on MacOS Snowleopard too?

New Version Openinfocard

I just uploaded a new version of the openinfocard selector to Google code here.

I changed code that limited self-issued cards to the "well-known" claims. Now I only need to add UI-code to enable the user to specify arbitrary URLs as claim-uris.
This change forced me to change the internal cardstore format for self-issued cards. The related XML now is more similar to the RoamingStore-format for Information Cards. This is good, but existing cards stop to work. Users of the new version have to delete and recreate their self-issued cards. Sorry, although I promise that this will be not the last time ;-) for this kind of changes. I want the internal cardstore format to be exactly like the RoamingStore format (plus legal openinfocard enhancements).

Other changes: - A small change that improves statusbar Information Card icon clicks when an object tag is in the page but no XRDS. This need more work.
- The sidebar code is leaner. This needs more work too, so that only matching cards are displayed and the sidebar window gets updated when the main window changes.
- The preferences javascript code is now in a separate file. I moved it from the XUL page. This seems to make the XBL that implements the preferences page happier.

I am glad that I found some hours to work on my hobby.

Developer Garden IP Location STS

Deutsche Telekom launched its developer program called developer garden which offers several telecom services by providing APIs.

One of these services is an IP location service that allows to resolve an IP address, if it comes from Deutsche Telekom's access network, to location information. While the retrievable location information is quite coarse it is still useful. My favorite use case is to restrict online banking to the country I live in or to the region or city I live in. This restriction would make online banking a little bit safer, although I know this is no silver bullet.
Anyway, it is a good thing that the location information is not too accurate. I don't want any server to locate me. Viewed from the privacy angle even country or region/city information might be too much already.
What I would like is user-centric location information. The Internet Service Provider should allow me - the user - to retrieve my location information to the accuracy that I accept. I can then hand this information over to the online shop, bank, news site, or whatever...

Today I have put this new IP location service and a security token server together. I wrote an iplocation_sts that offers Information Cards that contain location information. And I wrote an iplocation_rp that extracts this information from the security token. And it works! Yeah! Although I don't expect this to be the killer application which will make me rich or boost my career :-/ ... still I like it nevertheless.

How does it look?
You visit the Identity Provider with your Information Card enabled browser e.g. Firefox 3 with openinfocard. You create an account and an Information Card that you download and install into your selector.

Now you visit the relying party, click on the icon as directed...

... and choose the installed location-card. This sends the token request to the IdP's tokenservice which retrieves the remote-address of the client (or its proxy :-(), generates the SAML assertion, ...

that finally is send to the relyingparty.

Now it is clear that I live in the region "Berlin" and that the country code is "de". Correct.

Currently this is all installed only on my local machine but if Chuck installs the required libs on xmldap.org then you can play with it (if the access provider your ISP uses is Deutsche Telekom).

Deinstalling .NET Framework Assistant 1.0 for Firefox

Microsoft published an update that allows to deinstall the clickonce support for Firefox without twiddling with the registry. Good.

Before installing the patch the dotNet extension is grayed out:

After installing the patch it can now be deinstalled:

Ready:

openinfocard is now on addons.mozilla.org

I uploaded the current version of the openinfocard firefox extension to addons.mozilla.org. It is there in the experimental section. Sorry you have to have a mozilla account to download it from there. The future current versions will be available at the project's code repository as long as the extension is not in the section of released extensions.

Enjoy.

Bugzilla@Mozilla – Bug 457068

The number of bugs in Firefox and the Firefox Java plugin that affect the openinfocard id selector increased in the last days/weeks. Not funny.

- eval(..., scope) regression
- javascript instanceof not working with Java classes
- AccessControlException for java based Firefox extensions
- javascript array constructor not working with Java classes
- window.java is sometimes defined but sometimes not

Sun says they can not fix the java plugin for java 6 update 10...

Aaargh.

Maybe it is time to build Information Card support into Firefox and other Mozilla applications directly?! This is worth a post on its own.

Firefox Java Plugin(s)

Have you ever wondered how Firefox finds the Java plugin on Windows systems? The reason you might start to wonder is that Firefox finds the plugin even when you installed Firefox after you had installed Java...
The trick is that Firefox - as long as you don't configure it not to do this - scans the Windows Registry.


If you experience problems with the new NPRUNTIME version of the Java plugin you can disable it like shown in the picture. This solves problems Java based plugins like the openinfocard id selector have with this new and improved Java plugin.

Please note that this is (somewhat) independent of Firefox. Even if you have an older version of Firefox the new plugin's bugs can hurt you if you have a recent version of Java that contains the new npruntime version of the Java plugin.

I recommend to disable the new npruntime plugin for Java in Firefox.

openinfocard and Firefox 3

There are currently issues with java in Firefox3 that prevent the openinfocard id selector to function reliably. For the time beeing: If you want to use/try the openinfocard id selector then please use Firefox 2.0.0.16.
Mozilla and Sun are changing the way java works in Firefox and this seems to be problematic. While I could work around some issues, there is no workaround for others. Using 6u10 makes things worse.
The current problems break all java extensions in Firefox3 that use the jar file loading technique recommended by the Mozilla Developer Center.

CardSpace for Firefox new version

I just uploaded a new version 1.0.12 of the Firefox extension that enables CardSpace for Firefox.
This now works for the release version of Firefox 3. Although I know at least one site the drives the javascript kungfu to new heights and that does not work with this version... :-(( Fixed this!

Have fun; and happy testing. Please report issues!

Minefield defused

The openinfocard id selector now works with Firefox3.

The bug in Firefox3 is not fixed but circumvented. Firefox3 treats arrays of java objects differently than before.

In a javascript script the call "java_method([aElement])" formerly worked but now it fails. It has to be replaced with
var urlArray = java.lang.reflect.Array.newInstance(java.net.URL, 1);
urlArray[0] = aElement; // aElement beeing a java.net.URL
java_method(urlArray);

Please download the latest version in the openinfocard download area.

Firefox3 Java Bug: openinfocard needs your help

The early betas of Firefox3 crashed when the openinfocard identity selector was loaded. The current beta and the one before do not crash, but don't work.

InternalError: Unable to convert JavaScript value
file:/C:/Dokumente%20und%20Einstellungen/Nennker.Axel/Anwendungsdaten/Mozilla/Firefox/Profiles/kb7ofbop.default/extensions/
%7B211DBAEA-CE99-11DA-8254-96BEC52F3316%7D/components/firefoxClassLoader.jar
to Java value of type java.net.URL[]

Yesterday I retrieved the latest Firefox3 code from CVS and noticed that now it is called "3.0pre1", but still it has the same bug.

Openinfocard needs your help. Please try this with other versions of java on different operating systems and report this on the bugzilla page for this bug.
Here is a version of the openinfocard id selector that installs on Firefox3.
Here is the latest nightly Firefox3. Here is the latest beta.

I don't want Firefox to be in a pre version with this bug inside. Please help! Report and confirm this bug here.

openinfocard plugin vs extension

I have no shame... and must tell that a first step in realizing the openinfocard selector as a Firefox plugin instead of an extension was achieved today. A Firefox plugin is probably the correct way to handle HTML <object type="application/x-informationcard" >...</object> inside Firefox.

When I implemented the certificate chain validation I had to build my own Firefox browser from sources because I needed an API that is not in the Gecko SDK but in the Firefox source code. Now I had everything to build a plugin and gave it try.

Today I have an very early version of an openinfocard id selector as a plugin ready.

openinfocard logo

<Update count="2">


The top three logos are licensed under a Creative Commons Attribution 3.0 Unported License.
</Update count="2">


<Update>: Um... The two logos probably violate the usage guidelines of the information card icons...
So let's use this logo

</Update>
Projects seem to need a logo. I hope that this quick (non-art) work finds some supporters.

Or should should it be this one?

SAML ECP Firefox Extension

This is cool. I was thinking of giving this a try myself. An identity selector that speaks SAML instead of WS-*. This should not be that complicated when you mix the openinfocard selector with a java SAML library. Add ingredients, shake well, stir, ready. I am wondering if they took the photo shot before or after they began this project.

http header: X-ID-Selector

There is currently a discussion how and if a browser should indicate the presence of installed id selectors. I am against "polluting" the user-agent string.

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)

This indicates only that .NET3 is installed, it does not tell the relying party whether CardSpace is active or disabled.

I prefer that the id selector adds a HTTP header e.g. "X-ID-Selector" to the HTTP requests.

This is easy to implement; so I did it for the openinfocard id selector (xmldap-0.9.9-200712102230.xpi).

Here is a screenshot of the livehttpheaders recording of a visit to a relying party:



In the sidebar you can see the "X-ID-Selector: openinfocard" header.


BTW: Here follows a probably not very known description how to disable application/x-informationcard handling in IE7.

Open this preferences window and click "manage add-ons".

Next select "InformationCardSigninHelper Class" and disable or delete it. This does not change IE7's user-agent string.

xmldap / openinfocard paymentCards

At DIDW 2007 I heard Sid Sidner talk about variable claims and how they could be used for online payment. Kim Cameron, who sat next to me during Sid's talk, suggested that I should include this into the openinfocard id selector.

Today I uploaded two new applications to xmldap.org.

You can use the STS to create a paymentCard and import it into the openinfocard id selector:


Next go to the paymentCard relying party. You can change the price to see that the claim can be changed by the merchant. Type a new price into the input field and press enter. Next click on the paymentCard icon to start the openinfocard id selector:

Select a paymentCard using the openinfocard id selector:

The result looks something like this:

Please note the "trandata?" claim. This is the one that is modifiable by the relying party. It can contain anything. Sid suggested to base64 encode the data needed for 3D-secure. I just use the variable claim to transport price information from the merchant to the STS.

The basic principle: If a claim contains a '?' then the matching of the claim against the claims in a information card stops; that is the claim "matches" and the whole claim is send to the STS in the RST.

Of course this does not work with the current version of CardSpace.
Some newer version of the openinfocard id selector should do it. Update:ThisThe variable claim matching functionality is inside it since end of October (I think). The relyinparty and the STS are in the version control system since the same time. I did not find time to blog about this feature earlier.

Have fun.

New Versions for Firefox 2.0.0.9

Please find the new version of the openinfocard id selector for Firefox 2.0.0.9 in the project's download area.
It is best used with the new version of the identity selector selector which can be downloaded from this project's download area.

I tested both with most of the relying parties in the table "I2 Relying Party results with Identity Selectors". First the id selector selector with CardSpace 1.0, then with the latest openinfocard id selector.
I did not test RPs that bugged me with certificate issues.
The ping identity advanced RP is Firefox unfriendly as ever, but it worked.
I did not test the no-SSL Microsoft RP with CardSpace 1.x because I don't have that installed. I tested the no-SSL xmldap relyingparty with the openinfocard id selector which works fine!



You might want to know what changed...
Well, to bad I did not take notes. I noticed that Firefox 2.0.0.9 works with IdentitySelector-1.0.1.xpi! From there I - very carefully and slowly - redid all the changes and feature integration again. In the end it worked. This is not really satisfying from a software engineering and quality assurance point of view... but who cares?!
<update> The major change with the id selector selector is that is now leaves the type of the object untouched. Formaly the type was set to "" to remove the dreaded browserNotification "Addidional plugins are required ...". I think changing the type of the object is dangerous and yields unpredictable results.</update>.
The major change with the openinfocard id selector is that it now detects the id selector selector and leaves the 'object type="application/x-informationcard"' handling to it. The id selector selector was better in handling the objects since it exists.

Next steps regarding object handling:

• I would like have the DigitalMe id selector integrated into the id selector selector. And I would like the openinfocard id selector to handle the objects alone if the id selector selector is not installed, but currently I don't know how to achieve both goals simultaneously.
• Test RPs with multiple objects outside of forms.

Thanks to Andrew Hodgkinson and especially to Boris Zbarsky (Mozilla guru) who asked the right questions.

Firefox 2.0.0.[8|9] xbl problem

There seems to be a bug/problem with the DigitalMe id selector, the openinfocard id selector and the perpetual-motion id selector selector and Firefox 2.0.0.[8|9]. Others report problems too.

If you want to use our id selector extensions please use Firefox 2.0.0.7 for now.

Curious what is going on inside the extensions? Then you should configure Firefox to show you. Please follow the instructions given here: Setting up extension development environment. Setting the preferences is easy. Just enter about:config into the address bar and go for it.
The current xbl problem is not visible here though, but sometimes a lot of warnings regarding faulty css .

One item from my relying party wishlist: Please adhere to standards XHTML, HTML, CSS! Sometimes it is hard to see the debug messages in all the warnings caused by the relying party code.