I did not give up on OpenID. This is just too bad that it doesnt work.
Long story short:
- I got a proper SSL certificate for www.preissler.co.uk, where my actual OpenID provider is sitting at.
- ModSecurity got in the way, quite nasty.
So. It is working now, seriously, like a dream. All the issues I had with WordPress and Slashdot and others… hang on, actually I have not found any site where it is not working.
Ok. Next stop Yubikey. OTP with PIN.
I had good intentions. I wanted to make my own password-life easier and more comfortable. The foundation would have been OpenID – in later stage with Yubikey as a OTP generator.
But OpenID is not ready yet.
I installed my own authentication server / identity Community-ID, this worked so far. Authenticating from WordPress using my OpenID didnt work, WordPress always reported something like “no valid endpoint”. Wha? After some time I realized some sites work actually with OpenID, ie. a https://www.preissler.co.uk/openid/identity/thomas, some just dont.
So I setup then an OpenID delegation on http://openid.preissler.co.uk, pointing to my own authentication server. Sounds crazy, but has the bene fit that I could just swap the OpenID backend and thats it.
Trying it with WordPress again – and after fiddeling a long time with the actual server URL in combination with Community-ID and delegation I managed to get it working.
Sort of. At least the error message is different. Now it is “OpenID authentication failed: Server denied check_authentication”. After checking the internet a bit showed that this is some sort of reoccurring problemand has to do with the underlying OpenID PHP libraries / system libraries.
One funny thing at the end: I used my OpenID the first time on Slashdot – when it was still the long https://www.preissler…/identity/thomas URL. And some people on the internet are just saying “OpenID on Slashdot is just broken”. Even my shorter and nicer OpenID doesnt work on there – just the error message is different.
I have to give up here. Incompabilities, different implementations and such just dont make it really enjoyable. The other bit is whilst looking and testing there are not that many sites supporting it.
So I am just to drop this. What leaves is Yubikey – you could actually use OTPs on some websites, but without OpenID?