Saturday, November 24, 2007

openinfocard 0.9.8 relying party test results

live id
higgins (left button)
Selector does not start when icon is clicked. Though the debug output of the selector shows that the object is found.
Could not login with information card.

The selector starts, I choose a card, then the error message is displayed. No reason for failure is given. Selector debug output looks ok.

IC-JavaThis works. I don't feel like registering right now, so the error message is correct.
Pamela Project
Ping Identity Simple RPtbd
Ping Identity Advanced RPtbd
CA Siteminder RPtbd
Bandit Tractbd
Oracle RPtbd
Bandit Podcasts PW RP Word Presstbd
Siemens DirX RPFirewall problems. Can not access port 9443.
MS RP for MS IdP

symmetric binding is not supported by the openinfocard id selector.

MS Any Issuer RP

Good-Bye XBL

I just uploaded a new version (0.9.8) of the openinfocard id selector. You can find it in the project's download area.

Finally we got rid of the XBL code. There are several problems with XBL; the most notable beeing that bindings are not applied to objects in the head section of the html code on the relying party.

Andrew Hodgkinson had the idea to replace the XBL by a progress listener. The progress listener gets every event while the html code is parsed and the page constructed. Clever!

I tweeked Andrew's code a little bit, but all credit goes to him. Thanks.

Further new but somewhat experimental features in this release:
- the cardstore can now be where ever the user chooses it to be (as long as Firefox can treat it like a nsILocalFile). Everything that looks like a file-system should work.
- the cardstore is now encrypted with the Firefox master password (if one is set)
- the cardstore can be on a webserver (GET and POST). This is not tested.

BTW: There is a new version (1.0.4) of the CardSpace4Firefox extension.

Special thanks to Rob Richards too. Rob was the first to adapt Andrew's code for the openinfocard selector and he tested it againt many relying parties. He built a selector selector Firefox extension that calls the actual id selector. The id selectors implement Kevin Miller's API.
I think this is a good idea but somewhat inconvenient for the user because this concept requires two extensions to be installed.
I choose another way and implemented the selector selector in both extensions: openinfocard and CardSpace4Firefox. This way each selector is self contained and does not depend on other extensions. Each extension is programmed to be "friendly" to the other extensions that use the same progress listener scheme.

My plan for the next days is to integrate DigitalMe into the selector selector. Then we have all three id selectors in one instance of Firefox. Nice.

Tuesday, November 20, 2007

Corrupted Card Collection for CardSpace

After installing .NET3.5:

Corrupted Card Collection for CardSpace
So if you *really* need your cards then make a backup before installing .NET3.5.

The new - polluted - IE7 user agent string:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 
.NET CLR 1.1.4322; .NET CLR 2.0.50727;
InfoPath.1; .NET CLR 3.0.04324.17; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

I copied it from the latest relyingparty. It outputs the user agent string to make documenting the interop tests easier. relyingparty no-SSL

Please notice that this is no-SSL.

Downloading The New Version Of CardSpace

Right after I saw Mike Jones' post that a new version of CardSpace is available I started to download "it". Well, first a download for dotNetFx35setup.exe of about 3MB size started and I thought: "Hey, they really boiled this down from the over 50MB to a manageable size". But then the disappointment… The setup application does not setup .NET35 but downloads another 67MB of hopefully useful and necessary code.
Probably it is still to early in the morning and my skepticism is still sleeping... Call me naive.
Maybe I am an eternal optimist...

Anyway; I think that Microsoft should split this up so that I can get only what is needed for CardSpace and only that code that is not already on my machine. Maybe this will all be already installed in Windows8?!

Sunday, November 11, 2007 RP XHTML 1.0 strict

The relyingparty is XHTML compliant. This is important because triggering the id selector is hard enough with "legal" HTML.

And: Always nice to see the site and/or cards issued by the xmldap STS in other posts:

Wednesday, November 07, 2007

Sea of Change

Paul Madsen found this periodic table of diagrams.
Which reminded me (somehow) of this map of Online Communities:

Tuesday, November 06, 2007

New Versions for Firefox

Please find the new version of the openinfocard id selector for Firefox in the project's download area.
It is best used with the new version of the identity selector selector which can be downloaded from this project's download area.

I tested both with most of the relying parties in the table "I2 Relying Party results with Identity Selectors". First the id selector selector with CardSpace 1.0, then with the latest openinfocard id selector.
I did not test RPs that bugged me with certificate issues.
The ping identity advanced RP is Firefox unfriendly as ever, but it worked.
I did not test the no-SSL Microsoft RP with CardSpace 1.x because I don't have that installed. I tested the no-SSL xmldap relyingparty with the openinfocard id selector which works fine!

You might want to know what changed...
Well, to bad I did not take notes. I noticed that Firefox works with IdentitySelector-1.0.1.xpi! From there I - very carefully and slowly - redid all the changes and feature integration again. In the end it worked. This is not really satisfying from a software engineering and quality assurance point of view... but who cares?!
The major change with the id selector selector is that is now leaves the type of the object untouched. Formaly the type was set to "" to remove the dreaded browserNotification "Addidional plugins are required ...". I think changing the type of the object is dangerous and yields unpredictable results.</update>.
The major change with the openinfocard id selector is that it now detects the id selector selector and leaves the 'object type="application/x-informationcard"' handling to it. The id selector selector was better in handling the objects since it exists.

Next steps regarding object handling:

  • I would like have the DigitalMe id selector integrated into the id selector selector. And I would like the openinfocard id selector to handle the objects alone if the id selector selector is not installed, but currently I don't know how to achieve both goals simultaneously.
  • Test RPs with multiple objects outside of forms.

Thanks to Andrew Hodgkinson and especially to Boris Zbarsky (Mozilla guru) who asked the right questions.

Sunday, November 04, 2007

Supporting Information Cards with Browsers as of the Information Card Profile V1.0

While investigating the issues described in my former post I began to wonder why this all has ever worked... You had this feeling in your computer science life too now and then, right?

My personal history regarding this is: Chuck designed the code of the openinfocard id selector in a way that it worked with early relying parties according to the examples given in THE GUIDE. Our relying party at is designed excactly along the examples from the guide. When I joined the team I did not have to bother with the particular code that did the HTML-object handling. I changed this code several times but I was only adding code needed for e.g. correct/better PPID computation and lately no-SSL support. The major workings of the code were not changed because it handled the examples given in the guide ok. Later new relying parties appeared with javascript triggering and I used Kevin Miller's extension because it handled most of these cases correctly.

After having spent some hours to find the reason why the id selectors stopped to work in some cases I began to think that the behavior of IE7 might not be standard HTML (what ever that is). I think that the examples given in the guide expect the browser to retrieve the value of the object when it is inside a form and pass this value to the RP in the post data. Is this HTML standard behavior expected from browsers?

The Microsoft relying parties listed in OSIS - Relying Party results with Identity Selectors currently use another approach.

function InformationCard1OnClick(doNotSubmit) {
try {
var token = icardInformationCard1.value;
if (!token) {
throw 'ID5006: No token is returned from InformationCard.';
document.getElementById('InformationCard1_TokenId').value = encodeURIComponent(token);
} catch (ex) {
document.getElementById('InformationCard1_ErrorId').innerText = encodeURIComponent(ex.number + '::' + ex.description);
if (!doNotSubmit) {

  • get the object value
  • copy it to the form field
  • and submit

Not only does it make sense it still works with Firefox 2.0.0.[8|9]!

My suggestion: Somebody should write a new version of the guide and change the code of relying parties to this scheme!

I consider some of the other schemes currently in use just tricky/wrong/complex/false.
One relying party, which can not find anymore, changes the object parameters in the submit function. What sense does this make???!!!

To sum it up: It would be nice if having the object inside the form and having the browser add the object's value to the posted data would work, but I am not sure whether this is _standard_. Requiring javascript is maybe not _friendly_, but maybe inevitable. I think that HTML object was invented to handle media types and this does not imply that a parent form should submit the object's value. Doing this explicitly might be better.
Just my 0.2 cent.

Friday, November 02, 2007

Firefox 2.0.0.[8|9] xbl problem

There seems to be a bug/problem with the DigitalMe id selector, the openinfocard id selector and the perpetual-motion id selector selector and Firefox 2.0.0.[8|9]. Others report problems too.

If you want to use our id selector extensions please use Firefox for now.

Curious what is going on inside the extensions? Then you should configure Firefox to show you. Please follow the instructions given here: Setting up extension development environment. Setting the preferences is easy. Just enter about:config into the address bar and go for it.
The current xbl problem is not visible here though, but sometimes a lot of warnings regarding faulty css .

One item from my relying party wishlist: Please adhere to standards XHTML, HTML, CSS! Sometimes it is hard to see the debug messages in all the warnings caused by the relying party code.