Archive for the 'xri' Category

FoXRI Updated for Firefox 3

Saturday, October 18th, 2008

Prompted by Emanuel in a comment to my post on i-names, I’ve finally tended to the long-overdue item in my TODO queue, i.e. update FoXRI to work with Firefox 3.

The request from Emanuel came almost serendipitously 2 days after =les nonchalantly asked me if I had plans to update it to FF3, to which I answered “one of these days.”

New in this version are 2 patches from Michael Krelin which adds detection of URIs for more OpenID versions, and the handling of append attribute values. Changelog for the patches are available at his git repository.
Thanks, Michael!

Due to what seems like a new security restriction that protocol handlers are not allowed to link to chrome URIs, I can’t seem to get it to load the CSS and icons from the chrome any more. Therefore, those files are now hosted remotely at so if you see requests to that host, please don’t be alarmed.


Wednesday, February 13th, 2008

I monitor a few keywords on Twitter, and get instant notification on Jabber whenever someone mentions any of them. “OpenID” is one of those. Today, I got one notification which caught my attention, not just because it is in Chinese, but that I think it’s an important point:

jchristabelle: OpenID真的很難記,我又忘了我的。

which translates to:

OpenID is really hard to remember, I forgot mine again.

I have shared that sentiment before, when I tried to login to my Plaxo account and couldn’t for the life of me remember which one it was that I first used to associate my account. Granted that, in my case, I have many OpenID URIs because I’ve been so involved in the implementation. However, it is true that the OP:RP ratio is still too high (counting Blogger as a single RP rather than thousands of OpenID-ready spam blogs.)

I think it is inevitable that in future most users will have at least a handful of OpenID URIs. One can easily imagine getting one from each webmail/IM provider, personal i-name or domain name, social networks, etc. It may just be one of those annoyances we have to live with. Or maybe users will just remember the brands that stick, and click on the “Sign in with my Yahoo! ID” button instead.

I don’t have a solution here, just relaying the message.

p.s. Incidentally, geeks are of course still able to use URIs within their control (personal domain) to delegate to another OP (e.g. Yahoo) and switch OP at anytime while keeping the original URIs. For example, here’s what I use.

OpenID for Drupal

Saturday, May 5th, 2007

There was a thread on the OpenID list around the subject of OpenID support in Drupal. Previously, I’ve experimented with the OpenID module originally written by Jonathan Daugherty from JanRain, now under maintenance by the folks at Bryght. That module uses JanRain’s PHP OpenID library, and it worked pretty much out of the box, with XRI support.

What I learned from this discussion thread is that James Walker from Bryght has been working on another OpenID module that is intended for inclusion into Drupal 6 core distribution, without using JanRain’s library. There are apparently things that Drupal-heads don’t like about the JanRain’s library, licensing may be one of the issues.

So I pulled the DRUPAL-5 codebase from CVS and installed it, then installed the 5.x-1.x-dev snapshot tarball to test it out. First thing I noticed was that it doesn’t support XRI, and I really didn’t expect it to. Then, when I tried logging in with my identifier, it wouldn’t work because I delegated it to my account. So, it doesn’t support delegate either.

Then I spent a few hours getting rudimentary XRI support into it, and made it work with delegates. Few days later, I realized that this was only a snapshot and the module is in the Drupal contributions repository. So, I threw away my installation but kept the patch I made of the 5.x-1.x-dev snapshot and started anew. The result is a patch that works with the Drupal CVS trunk as of today.

The changes are:
1. When a first-time user is authenticated, a local account is created but no role was specified. Modified the module to add the ‘authenticated user’ role to the user.
2. XRI support. This is very rudimentary and does not support canonical ID yet, but shouldn’t be hard to implement.
3. Delegate support. In OpenID 2.0, the submitted identifier (URL) is passed to the OP as the openid.claimed_id parameter, while the delegate, if present, is sent as openid.identifier.
4. In the meantime, I noticed that the while the URL normalization conforms to the OpenID Authentication 2.0 implementor’s draft 11 specification, it treats and (with trailing slash) as different identifiers. Well, they should really be the same as RFC3986 says that for HTTP, an empty path is equivalent to “/”. This normalization rule was reflected in rev 294 of the spec.

Of course this is only a *very* rough patch (no pun intended). I have never hacked Drupal before, and haven’t read much of its coding styles though I tried to follow the conventions in the original code. I do hope that at least parts of it can be integrated into the module though.

My development environment is here: Feel free to try it out.

New site:

Monday, January 15th, 2007

I really shouldn’t blogging that much now that I have three weeks left to pack up and move to Virginia. That’s another story if I get around to blogging it.

Recently on the OpenID mailing list, many people are asking for a free i-name to play around with, research and develop software against. Global i-names cost USD20 per year but if you just want to evaluate the technology, you can get a community i-name for free. A community i-name is analogous to subdomains in the DNS world. A global i-name is something like @neustar or =wil. A community i-name has an extra subsegment tagged to the end e.g. @neustar*william.tan.

The i-name / XRI community has awakened to the challenge that we need to provide more support and documentation to the developer community, and our response is the wiki.

In my little way, I have also created a site ( to allow developers to experiment with XRI resolution and Yadis by providing free community i-names under @xrid. The site allows you to have unlimited community i-names (you can even host your own like @xrid*wil*work), and link them to authorities (identities) in any way you like, and most importantly, edit XRDS documents that will be served by the authority resolution server.

So, if you’re a developer interested in experimenting with XRI technologies, get your free @xrid community i-name here.

(Note: you may be curious as to why @xrid. Well, XRID was an earlier incarnation of the XRD which is a recursive acronym for “XRI Descriptor”. Later, it was decided that we don’t want to tie the XRDS document format to just being used in XRI’s (e.g. Yadis uses XRDS documents.)

Did I mention that you can login with an OpenID too?

mod_python OpenID Access Control

Monday, January 15th, 2007

Since XRI is pretty much in bed with OpenID and NeuStar is an XRI shop, I get to play around with it quite a bit.

Here’s a little success report about using JanRain‘s mpopenid module to protect certain restricted resources served by Apache. It works somewhat like your basic HTTP authentication, but instead of returning a 401 Authorization Required response causing the browser to prompt for username and password, it redirects you to the OpenID login page. Pretty neat eh?

So, here's how we go about doing it.

My ingredients:

Following the recipes in this README file, I was able to set it up with one caveat: Python ElementTree module is a dependency of the Python Yadis library and you need to first install that.

Did I mention that you could login using an I-name?


The following patch for is needed to make i-name login work:

--- mpopenid-1.2.0-pre5/     Tue Nov 21 20:24:53 2006
+++ mpopenid-1.2.0-pre5-wil/ Sun Jan 14 16:12:16 2007
@@ -157,10 +157,17 @@
         url = s.strip()
         if not url:
-        parsed = urlparse.urlparse(url)
-        if not (parsed[0] and parsed[1]):
-            url = 'http://' + url
-        urls.append(urinorm(url))
+        if (url[0:6].lower() == "xri://"):
+            url = url[6:] # strip "xri://"
+        if (url[0] not in "=@!$+"): # doesn't look like an XRI
+            parsed = urlparse.urlparse(url)
+            if not (parsed[0] and parsed[1]):
+                url = 'http://' + url
+            url = urinorm(url)
+        urls.append(url)

     return urls

FoXRI updated for Firefox 2.0

Saturday, November 4th, 2006

Just a quick mention that I’ve updated FoXRI to be compatible to Firefox 2.0. I haven’t had time to implement URI construction (which explains why some URI links don’t work in the FoXRI explorer).

Thanks to Gabe and Ken Walsh for the reminder.

New FoXRI Out Now

Monday, August 21st, 2006

I’ve just released version 1.1 of FoXRI – XRI extension for Firefox (and Flock!).

This version features an XRDS explorer that renders an XRI (I-name or I-number) in a nice user interface (see screenshot below).

Go install it at xri://=wil (oh you’re not XRI-enabled yet? No problem, go here instead).

Under the hood

The extension installs an XUL overlay that autocorrects an I-name / I-number in shorthand notation (e.g. =wil or @neustar) to the full version with “xri://” prefix. This is only for XRIs entered on the URL bar. Everything else is left untouched and functions as per normal.

At the same time, it installs an XRI protocol handler (XPCOM component implemented in Javascript) that takes care of resolving the XRI. For “bare” XRI – no path or query e.g. xri://=wil , it fetches the XRDS document from the proxy and renders it in HTML. Otherwise, the XRI is simply prefixed with and hands it off to the normal HTTP handler.

technorati tags:, , ,

Blogged with Flock

sxore commenting

Saturday, August 12th, 2006

sxore logo

sxore is an identity and reputation system for blog authors, readers and commenters developed by sxip. As with any respectable web 2.0 services, it is in public (perpetual?) beta. I’ve heard of them before via TechCrunch but have not tried it. With so many new services being reviewed daily, where would you find time for that unless that’s your full-time job?

Our work on XRI somehow introduced me to Keith Grennan at Sxip who mentioned that they’ve successfully integrated i-name authentication in their sxore service – so I decided it to try it.

Everything works as advertised. The sign-up process was a breeze; just entered my i-name =wil, it brought me to my i-broker which authenticated me and kicked me back to where I filled in the URL, an alias and email address. There I am, instantly logged in, without having to stir brain juices to construct yet another password! Such is the power of XRI and OpenID.

Now I’m logged in, it tells me to download and install the sxore WordPress plug-in. Ok, wasn’t expecting that (in fact, I had no idea what the service did before I started!) I followed the instructions to install the plug-in and activated it with the code that was given to me and “claimed my blog”. There were a few manual steps involved there, but you’ve got to appreciate how smooth and pain-free it was. A lot of things actually happened behind the scenes and I’m sure I can’t do it justice. For example, sxore detected my blog publishing platform and provided instructions tailored just for me.

And that’s it! I can assure you that all that took less than 10 minutes.

When you click on the “Leave a comment” link below, you’ll be brought to sxore where you can leave your comment. You can also provide an email address to track replies to your comment, not only on this blog but others that use the sxore commenting system.

UPDATE: Was told that the sxore plug-in will eventually put the comment handling responsibility back into WordPress to take advantage of Akismet for spam filtering. The sxore plug-in will concentrate on the identity and trust instead. Having just gone through the pain of migrating posts and comments from the old blog, I have decided to turn off the sxore plug-in for a while, simply because I want my comments to stay in my database. The plug-in is great though, especially the feature for a commenter to track replies and the reputation system may really help the comment spam problem too but let’s wait for a new version. See the sxore plug-in roadmap for more information.

FoXRI – Firefox extension for XRI (I-name and I-number)

Friday, August 4th, 2006

I’ve developed a Firefox extension that allows the use of XRI‘s in the browser. You can install it over at my i-name landing page

What you can do:

  • Type in =foo or @bar on the URL bar and have it redirect to the proxy resolution service.
  • You can also type in the full XRI i.e. xri://=foo
  • You can click on xri:// links, here’s an example: xri://@NeuStar (don’t click on it unless you have the extension installed!)

Note that you can’t link to the shorthand notation of =foo
because it is not an absolute XRI, and therefore will be resolved in the context of the linking page.

Disclaimer: This should be considered pre-pre-pre alpha software and it comes with absolutely no warranty. I do not accept any responsibility for any consequence directly or indirectly caused by the use of this extension. If your browser implodes don’t blame me.