Now, please direct your attention to Exhibit B: RFC 3875, section 4.1.7. Specifically, the below quoted paragraph:

   The server MUST set this variable; if the Script-URI does not include
   a query component, the QUERY_STRING MUST be defined as an empty
   string ("").

A potential  poit user recently encountered this problem.   While I would like to update the lighttpd bug entry alerting them to this crucial violation of specification, I’m also unwilling to sign up to yet another bug tracker just to fire off a single comment; avoiding such overhead is precisely the reason why I support OpenID.

Update: Mere minutes later, said user has pinged the bug.  Hopefully this leads to a resolution more correct than the first.

There is documentation on how to set up the server itself, but not on how to set up an OpenID identity to use said server.  I plan to write a more complete HOWTO on the latter in the coming days.

Due to the need for recovery then injury, I have been home more than usual in the last few days, and have managed to put in some solid work on the project.  The UI is mostly finalized, consumer-specific quirks have been worked out, and, code wise, it is ready for 0.1.

Well, at least according to my original plan.

One thing that is still lacking is per-consumer configuration, which means poit currently authenticates to any and all consumers if there is still a valid session when asked to operate in immediate mode.  Although not particularly dangerous, this is not going to stay the default, and it feels irresponsible to leave it as such until 0.2.

So, a little more waiting until I get this sorted out.

In the meantime, if you’re OK with the above mentioned policy, grab the source from git and give it a go.

This is a reworking of a even simpler server I hacked together for personal use last year.  The UI is currently very bare, and there is no documentation, but it does work, and the code is no longer terrible to work with.

It’s been tested to work on a handful of OpenID consumer sites, with only two known failures so far: Facebook and Stack Overflow.

Unsurprisingly, Facebook’s consumer implementation seems to be broken, and I won’t bother following up on that any time soon.  The failure against Stack Overflow is both unfortunate and ironic as using it was a major motivation for starting the original project.

At the moment, the UI is very crude and it doesn’t protect against all plausible bad inputs, but it is functional, and I do use it for my own needs.  Time permitting, I’m hoping to be able to cross off all the features planned for the first release in two weeks.  Some additional testing would be much appreciated.

Critiques, suggestions, and patches welcome—notification of security issues, especially.