OpenID and the Belgian eID

OpenID Logo

In a previous post, I talked about OpenID: This is a single sign on system for a multitude of websites. To perform my first tests, I installed the OpenID plugin on my WordPress and used an ID created on myopenid.com. It worked pretty well but why not use a strong authentication method with OpenID? By strong authentication, we mean based on something you [know|have|are] combined with something you [know|have|are]. They are several OpenID providers: myopenid.com, myid.net or Verisign (a complete list is available here). I decided to test TrustBearer because they offer strong authentication.

Belgium is one of the first countries which offers electronic identify cards (or eID). Belgian eID The format is the same as a credit card and a contains all your personal information and your digital certificate (which allow you to digitally sign official documents). To use the card, you need a PIN code. The eID is supported by TrustBearer and my laptop (Dell) has a builtin smart-card reader. Let’s go for a test!

I assume that the WordPress plugin is already installed and configured in your WordPress. To use the TrustBearer services you need:

  • A compatible browser (Firefox, Internet Explorer or Safari)
  • A compatible device (token, smart card reader or biometric reader)

(Check their website for a full list of supported hardware/cards)

When you start the registration process, TrustBearer will ask you to install a plugin (I used Firefox) which will communicate with the hardware (security note: it means that your browser has to have enough rights, this can be a potentiel security problem). Once installed, insert your token or card and give the pin code.
Enter your PIN code

Take care, if you give three bad PIN code, your card will be locked! (like a mobile SIMM card). Otherwise, the process is quite easy. Once the registration done, your OpenID url will look something like: “https://openid.trustbearer.com/“.

It’s now time to test with WordPress. When you access the login screen, you’ll notice a new field where you can enter your OpenID URL. Enter you freshly registered URL and log in. WordPress will redirect you to the TrustBearer web site and ask you to authenticate yourself using the registered method. After a successfull login, you will be redirected back to WordPress. Magic!

After a few hours, here are some comments:
1. It’s not possible to use the HTTPS protocol with your OpenID URL. This is a known problem. I still need to solve this issue.
2. The creation of a new account was not 100% successfull. I had to patch the logic.php file to allow a new user creation then link the OpenID ID with the existing wp_users ID.

Check out the demo!

6 comments

  1. Quick update: Using this card reader OmniKey AG CardMan 3121 (took some time to get it to work). I don’t have to start firefox with the card already in place. I can just insert/remove the card at any time.

  2. That’s because your eID is not available to the browser. No idea why but personally I’ve to plug the card before starting the browser. Yes it’s on the todo list: don’t make the certif check enforced by apache but let it come to php and do the tests there so I can display nice error msgs. And BTW I’ve currently some troubles with my Iceweasel since a recent upgrade (OCSP errors, SSL engine errors seldomly when starting the browser, nothing to do with the eID), but with Iceape it works fine. I assume you’ve also the middleware hooked to the browser (/usr/lib/libbeidpkcs11.so)

  3. Well as I said you can try, feedback is always welcome! Plug your eID and go to http://id.yobi.be/?openid.mode=discover it will generate propositions of OpenID URLs for you, which you can try in turn…
    But I won’t chase bugs on this version as I want to rewrite everything, this demo is more a proof of concept to get feedback on missing features etc.

  4. Hi, I did some experiments too, trying to build my own OpenID provider as I was reluctant to give a chance to a third party to link my real identity with all the websites I could log in.
    Check at http://wiki.yobi.be/wiki/OpenID-eID.
    The demo is working (at least with my card 😉 ).
    One particularity is that you don’t have to register so the server is stateless.
    Current code is a hack of phpMyID, should be rewritten with php-openid library…
    Enjoy! Phil

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.