65 articles and counting

Self-Hosting my Persona Identity with HostedPersona.me

Inspired by Indie Web Camp as well as the Unhosted project, I now host my own Persona Identity. I believe that Persona protocol will be an important building block for the Federated Social Web.

What is Persona?

Persona is a the decentralized authentication method which is a competitor to Facebook Connect, Twitter sign-in, etc. It’s being built by Mozilla, but works out of the box across devices and browsers.

Self-hosted?

Persona hopes to get email providers, universities, companies, and other entities to implement the BrowserID protocol. I’ve implemented this for myself, so any email address on the ozten.com domain will use my service for authentication. All ozten.com users would basically include me and my cat :)

What does it look like?

In this video, I’m logging into The Times Crossword page via Persona using my own service. It shows my avatar and I can type in my password. Avatars are provided by Libravatar and it’s the same avatar I use across the web. Sensing a theme here?

How does Persona and my self-hosted service look across the web? In the next video I log in to my self-hosted blog’s admin page, again to the Times Crossword, and a several other sites… Notice I don’t have to re-enter my password. I can just pick an active identity and go.

On the 3rd site, I click "this is not me" to show my hostedpersona log in screen again. Then I log in to several other sites with various identities. For example on Bugzilla I use a gmail account to manage bugs, so shout@ozten.com wouldn’t be a good identity there.

Wow… so easy to reuse my self hosted identity across all these sites. Once I’m logged in, the Persona UX manages my session, so I’m not bugged for a password.

A Challenge

I challenge the organizers of next year’s IndieWebCamp:
Offer Persona Log In as a way to authenticate to http://indiewebcamp.com
(I’m happy to help)

Wanna own your own Persona?

Definitely weigh the options… self-hosting an important identity (I’ve used shout@ozten.com for 15 years) is kind of dangerous (especially for me as Mozilla web properties use it) and will become more risky as Persona gains adoption across the web.

Wanna hack without too much risk? Register a new domain name instead of using your actual personal domain. Okay, enough parenting…

Requirements

So you want to run your own service… what is required?

  • SSL Certificate

  • Crypto Code
  • Dynamic server side code for provisioning and authentication

To get an SSL cert I needed a static IP. Getting a static IP was 1 click and 3.95 per month.

Getting an SSL cert was one click, 12 hours, and 15 bucks a year from my website hosting provider. You can do it cheaper and better, but I wanted to see what this would be like for novice netizens. (Okay, and I’m lazy)

My personal website is mostly PHP and I didn’t want to re-invent the Persona crypto wheel. I’ve been writing more Node code lately, so I decided to:

  1. Write a new Node based service
  2. Host it on ec2
  3. Reuse Mozilla’s browserid-certifier server to do all the crypto

The BrowserID protocol enables a domain to delegate authority to another domain. I had ozten.com delegate authority to hostedpersona.me.

Starting projects at 4:30am can lead to lame names… which is how I registered hostedpersona.me ;) I picked this name as I might host friends’ Identities too, if they are dumb enough to trust them to me, since this is only a side-project.

Level of Difficulty

Implementing an Identity Provider service is much harder than adding Persona Log In to your website. If you haven’t played with that… do that first!

You are definitely better off trusting Mozilla or your email provider to manage your account’s security. Just say’n.

If you do want to do this… I think it’s about 10x as hard as adding Persona Log In to a website. Be sure to check out these tips.

Conclusion

So there you go, Persona has allowed me to have an easy to use, portable, self-hosted Identity on the web. I think Persona is going to be a key ingredient to the federated social web.

Next Steps

2 Responses to “Self-Hosting my Persona Identity with HostedPersona.me”

1
Wraithan - 01/11/12
Austin,

I have 2 questions:

1) I know it is a long drive/train ride, but on December 3rd we are having the first meeting of a quarterly (maybe a little more) auth group. It is called State of the Auth and I am the organizer. It would be wonderful if you could make it down to speak about this. Mozilla is sponsoring Pizza (plus buttons and stickers of course) and I'll gladly toss in a drink of your choice for the journey. No big deal if you can't.

2) How does this work if you've let persona fallback to a trusted third party because you didn't have this setup for your domain then you set this up. Can you change your IdP without losing your identity?
2
ozten - 01/11/12
1) I'll follow up via email

2) Persona normally provides a fallback identity provider. Standing up your own identity provider isn't something to take lightly... but you can stop doing so and get back to using the fallback provider. It will take time for discovery to stop getting your cached well known files. You won't lose your identity, since it's based on the email address and you still control that.

Great question, as the Identity team is swarming on improving the Fallback to Primary to Fallback flow and improving the UX while identity providers have service outages.
https://github.com/mozilla/browserid/issues/2606 - 2608