phpMyID

This page is kept for posterity. phpMyID is no longer maintained.

phpMyID is a standalone, single user, OpenID Identity Provider.

The source is available on github.

Description

OpenID is an open, decentralized, free framework for user-centric digital identity (I stole that from their website). But what does it mean? Well, basically OpenID is a way to authenticate yourself to various places (websites) by verifying your identity as the owner of a particular URL (say, a website of your own). Instead of giving a username and password to a login form, you just give it your URL. You're then directed to your "identity provider" to log in, and when it authenticates you, you go back to the site you were orignally trying to get into. Why this is good or bad, and what the actual implications of it are... well, that's all mostly outta scope as far as phpMyID is concerned. Suffice it to say, phpMyID acts as an "identity provider" so you can log in to OpenID enabled sites.

From a user point of view, OpenID is a neat concept, but it has a few flaws. For example, when I wanted to actually, y'know, get an OpenID thingie of my own so I could log into OpenID sites, I found there was no satisfactory way to get one. My options were:

• Download a ready made application to handle serving up identities and create myself an account in it. - There aren't many of these, and what few there are seem to be geared towards multi-user setups. Since there's only one of me, this option seemed like overkill.
• Download a complex set of libraries and build an application to handle serving up my identity. - Again there are not many of these, and what few there are seem a bit overcomplicated for my needs.
• Set up an account with a third party provider. - A bad option for me because I really don't like the idea of coupling a theoretically decentralized framework to one of a handfull of third party providers (and giving them my account credentials). Sure, someone who doesn't have their own site and server technology will probably go this way, but not me.

Since I couldn't find the simple solution that I wanted, I did what any [idiot|geek] would do, and created the missing option for myself: a single user OpenID server. phpMyID.

Why Use it?

• The whole point of OpenID is to allow you to manage your own identity, and phpMyID lets you do that without giving control to a third party.
• It's easy to install and easy to configure. Edit just a few lines in your config file, and you're off and running!
• Allows "Smart Mode OpenID" (more secure) transactions, even if you don't have a "big math" library available. Seriously, phpMyID comes with a pure-PHP math library which can be used if you want to demand that extra level of security.
• Ensures secure password transmission even if you don't have SSL! By using HTTP Digest authentication, phpMyID ensures your password is never sent or stored anywhere in clear or decypherable text.

How to Use

phpMyID is a single user (though, if you were so inclined, you could easily turn it into a multi-user setup) IdP, or "Identity Provider" for the OpenID framework. It's a single PHP script with minimal dependancies. You don't need a database, you don't need to make your filesystem writable, you don't need to download any libraries, and you don't need to recompile PHP. Okay, well, you shouldn't need to do any of that.

Installing phpMyID requires an MD5 hashing utility. Why? Because you have to authenticate to it using a password. phpMyID uses HTTP Digest authentication for security and your password must be encrypted when you enter it during installation. Say it with me: "passwords should never be stored or transmitted in plain text" (one of the advantages of phpMyID and OpenID is that they never are).

For Linux or OSX (or any other Unix-like OS), I suggest using OpenSSL to encrypt your password. For Windows, there are a number of utilities available, but I recommend this one by Colin Plumb. It's public domain code, and it will do exactly what you need (yes, the hash it create is all upper-case - don't worry, phpMyID will convert it for you). You can use PHP's md5 function to generate your hash for you on the fly, but I must discourage doing so. Not only does it take all the fun out, but you have to store your password in plain text to make it go.

Complete installation instructions, including examples of how to encrypt your password, are available in the provided README file.

Important

phpMyID is not compatible with hardened PHP installations. In particular, Suhosin is known to cause problems.