A small module that allows users to authenticate with a Belgian eID card, using Fedict's OpenID Identity Provider.
The Drupal website will act as the Relying Party, while the IDP will take care of the communication with the eID card itself, using a java applet.
The beididp_profile submodule can be used to map eID information (like name, address ...) to Drupal Profile fields.
The beididp_pape submodule adds support for OpenID PAPE 1.0
Difference with other modules:
- This module does not use the eid reverse proxy (unlike the eID module), but reuses as much (Drupal core) openid code as possible, while providing a user friendly interface (eID button).
- Unlike OpenID core module, the user does not have to remember his OpenID identifier. To prevent session cookie hijacking, login with eID is only available over HTTPS
- Unlike the OpenID Selector, the module does not use Javascript.
The sandbox page: http://drupal.org/sandbox/bart.hanssens/1311900
git clone --branch 6.x-0.x http://git.drupal.org/sandbox/bart.hanssens/1311900.git belgian_eid_idp_integration
Drupal 6.x
Reviews of other projects
3rd round of reviews
| Comment | File | Size | Author |
|---|---|---|---|
| #19 | drupalcs-result.txt | 1.8 KB | klausi |
Comments
Comment #1
jasonrichardsmith@gmail.com commentedResults from pareview:
Review of the 6.x-0.x branch:
This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. Go and review some other project applications, so we can get back to yours sooner.
Source: http://ventral.org/pareview - PAReview.sh online service
Comment #2
jasonrichardsmith@gmail.com commentedComment #3
bart.hanssens commentedThanks, I've updated the comments in the module, and removed the LICENSE file / version info.
Pareview error report is empty now.
Comment #4
attiks commentedI did some testing, but without https, and it works:
Some remarks:
for ($i = 1; $record = db_fetch_object($result); $i++), why not a while loop?Comment #5
bart.hanssens commentedThanks for the review
- added implements hook...
- don't log message when no rows are affected
- ...validate: removed the space
- ...login_validate: added exception for admin
- used a while loop (for ...$i was leftover code, don't need $i anymore)
About the "change this": the idea is to add a prefix (salt) to the unique rijksregister number to be hashed (rainbow table protection).
If it is stored as a setting, it is stored in the database, which is a risk when someone gets a hold on the database (or a backup).
Storing it on the file system adds a (tiny) protection.
Note that this hashing should actually be done on the (remote) IDP server, not on the Drupal relying party itself.
But this option is added to the module anyway, just in case the IDP isn't configured to hash the RRN.
I will add this info in the README.txt
Comment #6
attiks commentedyou missed one in beididp_admin_validate:
if (! valid_url($idp)) {About the "change this": now the values are in code, and people can not change the value inside the module, because if they upgrade they loose their values and all registered accounts stop working. If people don't want to store the value inside the database they can add it to their settings.php like this:
Comment #7
bart.hanssens commentedOk, thanks ! Fixed the space in beididp_admin_validate.
I've added variable_get()'s in the hash function to retrieve the values from settings.php and added some info to the README.txt
Comment #8
attiks commentedThis looks good to me, marking his as RTBC so someone else can have a look, also adding a tag for security review.
Comment #9
klausi@attiks: we use the security tag only for applications where we find security issues, so I'm removing it from this one.
manual review:
Comment #10
bart.hanssens commentedThanks.
- I've changed the beididp_perm() doc and the documentation of hook_form_FORM_ID_alter() implementations
- changed doc of beididp_form_alter()
- removed the @, is not needed
- changed OPENID_... defines to BEIDIDP_ ...
- changed it into t(... @error)
Comment #11
klausiThe response time for a review is now approaching 4 weeks. Get a review bonus and we will come back to your application sooner.
Comment #12
bart.hanssens commentedok, I'll give it a try ...
Comment #13
klausimanual review:
Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.
Comment #14
bart.hanssens commented- removed the setting of the variables
- removed the @'s
- closing ) of array on a separate line
- now using drupal_write_record (the INSERT... was based upon the openid module in Drupal 6 core)
- added sanitizing
- "Implements hook_beidip_auth_request()".
- removed empty function
Comment #14.0
bart.hanssens commentedadded info about bonus
Comment #14.1
bart.hanssens commentedadded / changed "other projects reviewed"
Comment #15
bart.hanssens commentedOk, reviewed 3 other projects, listed in the summary.
Comment #16
klausiPlease don't remove the security tag, we use that for statistics and to show examples of security problems.
Comment #17
attiks commentedCan you run your code through coder again, there are still some warnings:
return($name . $prefix);can be changed toreturn $name . $prefix;There a strange sentence inside the README.txt: The IDP applet can work with our without eID middleware, so there is no need to install it on the client.
Inside beididp_help: if the string inside t() contains single quotes, you better use double quotes around the string, this will make it easier for translators because they don't have to escape the single quotes.
Comment #18
bart.hanssens commentedHi,
Comment #19
klausiReview of the 6.x-0.x branch:
This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. Get a review bonus and we will come back to your application sooner.
manual review:
Sorry to bump this back to "needs work", but you need to know where to use check_plain() and where not. Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.
Comment #20
bart.hanssens commentedThanks for the feedback
Comment #20.0
bart.hanssens commentedadded reviewed projects
Comment #20.1
bart.hanssens commentedstarted 3rd round of reviews (for pareview bonus)
Comment #20.2
bart.hanssens commentedadded reviewed project
Comment #21
bart.hanssens commented3rd round of 3 reviews (bonus)
Comment #22
klausiGreat, looks RTBC to me now.
Comment #23
klausiAssigning to tim.plunkett, as he said he might have time to review this.
Comment #24
tim.plunkettThis looks great, and welcome to the community of project contributors on drupal.org.
I've granted you the git vetted user role which will let you promote this to a full project and also create new projects as either sandbox or "full" projects depending on which you feel is best.
Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
As you continue to work on your module, keep in mind: Commit messages - providing history and credit and Release naming conventions.
Comment #25
bart.hanssens commentedThat's great, thanks !
Comment #26.0
(not verified) commentedadded review