I've been working on Drupal distributed search for a while now, releasing a beta of the OpenSearch Aggregator as well as a release of the OpenSearch feed module. The aggregator has a friendly UI for setting up any number of sources and the feed contains relevance information from the Drupal search system. Results are also cached on the aggregator for performance reasons.

More information about these modules can be found in my earlier blog posts about OpenSearch.

The ultimate goal however is to set up distributed search for a Bryght client between a network of secure Drupal sites. The searches for logged-in users should include content that is visible to them across all the different Drupal sites.

OpenID is the obvious choice as an identity mechanism for the users, but it does not immediately help us with the authentication. I've written a document after some research that details possible approaches and solutions. Because we're talking about frontier technology here, it seemed best to repost it publicly to sollicit feedback from anyone interested. I could certainly use some extra opinions on this, as it is all very new to me.

Essential requirements

The most basic requirement can be summed up as follows:

Given the search aggregator (master) and a group of sites that return results (slaves). Whenever a search is performed by a user logged in on the master, the master contacts all the slaves and passes along the identity of the user making the request. This information needs to be unambiguous and secure. Slaves will then return results respecting the user's access permissions back to the master, who aggregates and caches the results for browsing.

All communication to the slaves is done by the master. For practical and performance reasons, none of this can be implemented on the browser/client-side (other than maybe a trivial form/redirect to log-in once).

1. Naive implementation

A very simple implementation could use each user's e-mail address as the global identifier for identity, and map it to the local Drupal uid on each site. The request could be signed using a simple keyed hash (HMAC) with a shared secret key that is set on all the participating sites (thus encoding trust). A query from the server to a slave might look like:

GET http://example.com/opensearch/node/keywords?user=name@example.com&hmac=123456789abcdef

There are several problems with this:

• The user needs to register manually on each of the participating sites using the same e-mail address.
• A shared secret needs to be manually set on each of the participating sites.
• All participating sites must be part of a completely trusted, closed network.

2. Improvements: OpenID log-in

Some first low-hanging fruit is using distributed OpenID for the end users. This avoids explicit registering on each of the participating sites, as the Drupal OpenID module does this for us when you log-in the first time. It also gives us a globally unique identifier (the user's OpenID) which is verified (by DNS), to cross reference the local numeric uid's with.

However, OpenID is distributed in nature, and does not immediately help us when we want to have the master prove to the slave that it is allowed to fetch content for a certain user. The only entity that knows and holds the keys/cookies to which sites a user is logged in to is the user's browser (User-Agent), while the home site knows only which sites are allowed and have been logged in to in the past.

The trust between master and slave would still have to be implemented through some other means, for example again using a shared secret key and HMAC verification:

GET http://example.com/opensearch/node/keywords?user=user.openid.com&hmac=123456789abcdef

Instead of authenticating every request, we could also implement an authenticated 'back door' through which the master can force log-ins on the slaves without doing actual OpenID authentication with the home server. The result would be a session cookie for each slave that can be used normally by the master:

POST http://example.com/trust/?user=user.openid.com&hmac=123456789abcdef
=> Cookie is set

GET http://example.com/opensearch/node/keywords
Cookie: PHPSESSID=123456789abcdef123456789abcdef

This backdoor login would be provided by another module, and would have to rely on e.g. a DNS or IP-based whitelist of allowed hosts, optionally with SSL to ensure confidentiality.

Access control would be respected by Drupal using the normal session mechanism and the OpenSearch client module would not need to be altered. The cookies can be stored along with the local user account on the master, and aggregated OpenSearch data would be cached on the master per user.

3. Search master as home server

A possible solution is to restrict the OpenID home server to be the search master.

This would allow the master to log-in to the slaves directly, as it can produce all the necessary cryptographic tokens without needing user action. No modifications are needed to the slaves. Once the master has logged in once to each site, it has a valid session cookie for each (like in (2)).

4. Multi-login extension to OpenID

Another solution would require an extension to OpenID, both to the client module for Drupal and the code that runs the home server. Still, it would allow the home server to be any other server (or even a set of servers), provided the home server supports the custom extension.

When the user logs in to the search master, the module would know that it will need access to each of the search slaves. When it sends a request to the home server, it would not only ask for a log-in to itself, but also for each of the slaves. The user would get a single screen on the home site to log-in to (with correct notification that this is a multi-login), and is returned to the search master.

The search master logs in the user locally, and uses the cryptographic tokens for each of the slaves to log into them. The slaves can verify the log-in tokens using direct communication with the OpenID provider. Like in (3), normal Drupal cookies are returned to the master and used to perform the searches.

5. Other ideas

Of the above methods, only (2) is really immediately practical. Using OpenID at the base does not help if you still need proprietary extensions, or if you take away the ability to choose a home site. And if we do want to do (4) properly, then we need to develop an actual spec that respects the principles and security of OpenID. Not an easy job.

The downside of (2) is that there is no actual proof that the log-in took place, and that we rely on the shared key to ensure trust.

However, because the whole Identity 2.0 space is still developing, I think it would be silly to try and build something elaborate that implements some sort of utopian federation/whatchamacallit model. It would be an insane amount of work and would not be future proof or even useful today as very few real-world services would support it. I think we just have to wait here to see what develops, once OpenID gains some more widespread use and people get more comfortable with these concepts (which should happen in 2007).

5.1. SAML

SAML has been suggested as a standardized way of passing along security assertions. However, SAML is really a competitor to OpenID and started as a way of doing single sign-on between trusted sites.

The main difference is that OpenID is tied to a particular HTTP exchange pattern, while SAML better separates the message from the delivery method. Still, SAML is based on exactly the same principles, so assertions have to be generated and signed by the home server. So, they are still useless if we want the master to securely prove the log-in of a certain OpenID. Of course, we could encapsulate the message from master to slave in an unsigned SAML message, but that would really defeat the point of using SAML in the first place.

SAML itself doesn't do trust either. The slaves would still have to have a whitelist that includes only the master and which would be verified again by DNS/IP or SSL.

5.2. OpenID Proof-of-login token

The big functionality hole in OpenID is that the only one who can verify the cryptographic tokens for a log-in is the intended recipient (the relying party). There is no way in the specs to 'forward' the assertion by the home server that the user logged in to the relying party in a way that makes the information verifiable for everyone.

An extension to OpenID for this would be good. It's essentially a variant on the multi-login idea, where, instead of asking the user to log-in to the cloud of sites, the user only logs in to the master, and the master sends proof of this log-in to the slaves:

POST http://example.com/trust/?user=user.openid.com&....crypto-here....
=> Cookie is set

The slaves would again have a whitelist based on IP/DNS or SSL. The main difference with (4) is that here, trust is again set by the administrator rather than explicitly given by the user through OpenID.

Conclusion

(4) sounds like the cleanest solution, as it does not rely on explicit whitelisting for trust. The user simply has to check that the master is not asking for a log-in to an external site. However, it would require an extension to the OpenID log-in process on the home server, including the UI (as the extra log-ins have to be communicated somehow), so it is unlikely that it would be implemented easily.

(5.2) sounds better in this light, because only changes under the hood need to be made. The home server would simply send along extra cryptographic tokens that can be forwarded to other parties. Depending on security issues, these tokens could be requested in general (by amount) or for specific recipients (for each specific slave).

Both solutions require serious crypto and spec work to do properly.

So, today I've been living in Vancouver for a month and a half. I've had time to get settled in, so I figured it was time for a little retrospective.

This whole thing started in the summer, when Bryght offered me a job and the chance to move to Vancouver. Over the next months, I worked for them remotely from Belgium, while the paperwork was sorted. On November 29, I boarded a plane, taking with me a backpack, a suitcase and a large bag. The contents? Clothes, towels, toiletry, lots of media (mostly DVDs and games), two bottles of beer and my trusty PowerBook.

Once landed at YVR, I had to go through immigration to receive my Work Permit. A lengthy wait, a call to Kris Krug and a short interview later, I was a legal worker in Canada. The first thing I saw when I left the airport was a huge snowstorm! The following days proved to be warmer, but not less stressful.

I needed to open a bank account, get a phone, get a social insurance number and get the keys to my new apartment. Simple, were it not that these actions were tangled in an obscure web of dependencies. I can't get a phone contract without a bank account. I need the bank account to pay my rent. I need an address to get a bank account. In the game of life, all dependencies are circular.

Some creative timing and small lies later, I was in possession of all of the above, and I'd only lost about a day's worth of time doing it.

Once that was over, things did get better though. Vancouver turned out to be a very lively, interesting place. My job at Bryght went well, and once I settled comfortably in my 11-18 work schedule, I got quite productive. It also helps that we have a great office with a gorgeous mountain view. In my spare time, I still did loads of Drupal coding (in light of the now released Drupal 5), but did get to see the city.

When the holidays came about, I was invited to Boris and Petrina's (collegues) crazy family christmas on Vancouver Island. The food and gifts were plentiful, the people were incredibly nice and I had a great time. Since then, the weather has remained relatively steady around 0-7°C, with some rain and occasional melting snow.

So that's where I'm now. In this time, I've gotten somewhat used to the particular quirks of Canada and its culture, but I still very much feel like an outsider here. There are plenty of differences... I'll name a few, good and bad. I'll start with the latter:

The Bad

• Dealing with money is bothersome here. First, there's the fact that prices never include taxes, and that tipping is expected. So, it is hard to know in advance how much you'll pay. Secondly, banking sucks here. Banks charge fees on the order of $1-2 for simple transactions such as money withdrawal from a machine. Transferring money electronically between banks is tricky, so cheques are still the main method for paying large sums. In Belgium, cheques are extinct and online banking is easy, free and painless. Oh, and in Belgium, bank cards rely on secure chips rather than error-prone magnetic strips.
• Commercialism is everywhere. There is a much higher penetration of stores, restaurants and clubs than in Belgium, and advertising is much more prevalent. Example: I ordered cheques from the bank, and it included an ad for another company that sold administrative stamps. There is a large emphasis on buying, gadgets, consuming and wealth. Eating out is much more common than what I'm used to, and more money is spent daily, for example on cab ribes. Finally (and this is mostly because I live in the city), generally everything is quite expensive here. For what I pay here in rent for a bachelor apartment, I could get a small house in Belgium.
• Modern, fast-paced living is the keyword. Lunch is often a sandwich on your desk, and cups of coffee and soda are within reach constantly. There is an insane amount of traffic of cars and people at any particular time. This is further amplified by the young age of the city. Everything is new, and the city expands every day at a high rate. The few specks of left over antiquity are shadowed by huge towers of apartments and offices.
• English dominates, both in language and culture. It's strange in a way, because Vancouver is quite multicultural, yet like most of North America, it focuses mostly on itself. There is a very big vibe that this is 'the place to be'. Europe is but a very distant location where people go on holiday or study, but very few people appear to be in touch with it. At most, they'll have some family roots in one of the European countries. The French half of Canada is nowhere to be seen here.
• Lots of homeless. This is a specific problem with Vancouver, which I've been told is because the climate here is the most moderate in Canada, and hence attracts lots of people who live on the street. People asking you for spare change happens several times a day as you walk around. It is all the more disturbing because a lot of the city is very clean and new.
• Lack of good bread. This might sound silly, but in Belgium (and the Netherlands), people tend to eat a lot more bread. We only eat one hot meal a day normally, while lunch is typically sandwiches. Because of this, we tend to eat higher quality bread with a much bigger variety of spreads, deli meat and cheeses. In Vancouver, the average supermarket bread is a sponge that you can squeeze like an accordeon only to have it expand back to its original form. It can stay fresh for weeks and tastes flat and dry. Now, I've managed to scout out some places that might offer better bread, but most of it tends to be speciality bread, usually heavy or flavored. Either that, or a simple baguette. But a proper, normal white or brown loaf seems impossible to find.
• Draconian alcohol laws. Alcohol may only be sold in official government-run liquor stores and the selection is quite small (except for bars/restaurants, of course). No Pecheresse here...

The Good

• Amazing food is available everywhere. All the different ethnicities in Vancouver seem to have dozens of restaurants each. Chinese, Thai, Korean, Mongolean, Vietnamese, Japanese, Italian, ... The prices are very reasonable and the variety is great.
• Friendly people. Compared to surly Belgium, Canadians and Vancouverites in specific are giddy with joy. Greetings involve the standard "how are you today?", service is much more servicing "hi, welcome to Foobar, what can I help you with?" and people are much more open and eager to meet you.
• Very multicultural and tolerant. There are too many ethnicities here to count, and they all work the same jobs, have the same houses and drive the same cars. Racism seems a distant concept here, in my experience.
• Beautiful environment. Coming from densely populated Belgium, where the highest 'mountain' is 594m tall, Canada is a treat for the eyes. Parks and mountains are just a small bus or boat ride away, and a lot of it is preserved as wild. And yes, there are bears up north.

Generally, in spite of the negative tone above, I'm very happy to have moved here. I've met some incredibly interesting people, have a great job where I work on what I like and I'm learning a great deal about business, culture, people and life in general. I do miss Belgium and the people there, although thanks to the Internet I can talk to them often and cheaply.

The final big question (that everyone seems to get asked, when moving here) is: will I stay, or move back eventually? Honestly, I still can't say. The only certainty is that I want to keep doing what I'm doing now, job-wise. But there are plenty of opportunities inside and outside of Canada for that.

So far, Vancouver has proven to be a great step for me, so all I can do is wait and see what life brings next!

Tomorrow I'll be boarding a plane heading to Vancouver. Unlike the last two times, this trip will be one-way. Once I land, I get to walk the immigration gauntlet, after which I'll hopefully get a valid work permit.

Apparently, my life comes down to a big bag of clothes, a suitcase stashed with media, a backpack full of electronics and a box of books trailing behind. Plus, two bottles of beer.

Aside from my friends and family, I'll be missing the national sport of sandwich-making, sweet sweet Pêcheresse and fries that have anything but ketchup on them. Oh, and buildings that are older than 150 years.

The Belgium-Vancouver Beer Pipeline is the first of several steps intended to remedy this problem.

Well I guess a little status update is in order, as I've just had a very busy and exciting week go by ;).

Vancouver, Canada

... is not bad at all. The people are friendly and the sights are amazing (coming from someone whose land of origin is flatter than a pancake). Pretty from most angles, anyway; -1 on the expensiveness, all the homeless people and the difficulty in finding a proper sandwich. Seriously people, meat salad is only the beginning.

Bryght

... is a fun place to work at. The environment is very relaxed and the Bryght guys are a very sensible bunch (which all Drupaleers should already know). Part of the deal I have with Bryght is that I can spend a certain amount of my work time on arbitrary Drupal stuff (e.g. writing or reviewing core patches), which is working out great.

BarCamp Vancouver

... was a blast. This is the second BarCamp (and third *Camp) I've been to, and it just gets more fun every time. A ton of people showed up, all with tons of ideas buzzing around in their head. The opening party was at Bryght's new office, but the actual event was at Workspace in Gastown, an awesome shared working environment for geeks and non-geeks alike.

The Weather

... has been awesome. Today was actually the first overcast day I've ever seen in Vancouver, and even then it didn't actually rain. I wonder how long my "Rainless Vancouver" streak will last (18 days and counting).

The Scenic Tour

... starts here as I'm borrowing a digital camera at the moment. I've been uploading the photos that don't suck to flickr.

After five years of studying I'm finally the proud owner of my university degree "Master in Electrical Engineering: Multimedia and Signal Processing" (phew). So, what do I intend to do with it now? Well, absolutely nothing.

See, the past year Drupal has taken up more and more of my spare time. It was still manageable when combined with my carefree student life, but in combination with a full-time engineering job, I think I'd burn out pretty quickly.

So I decided to turn my hobby into my job and sign up with one of the Drupal shops: Drupal is hot at the moment, pays well and is interesting, innovative work.

After considering all my options, Bryght came out as the most interesting choice. Aside from getting to spend a significant amount of my time working on Drupal itself, they're also giving me the chance to move to Vancouver. Once the paperwork goes through (which could take a couple of months), it's good bye chocolate and beer and hello mounties, maple leaf and mountains.

I have to admit Belgium has become less and less interesting over the past years: crappy broadband, high taxes, insane bureaucracy and an unfriendly political climate. Still, I don't think I'm saying good bye forever. It's just that one does not get the chance to live and work in a whole new part of the world that often, so I at least want to give it a shot. Canada, here I come ;).