I'm working on a module to support drupal logins using OpenID. For those of you not familiar, OpenID is a decentralized identity system. In OpenID, a users identity is keyed by a url that represents them. A "Consumer" is the site that the user wants to log in to, i.e. drupal, and the "Server" is the site that knows about the user.
The first problem I encountered is that OpenID users should not enter their password on the Consumer site. This should be a fairly obvious security concern. To side step this problem a created a separate block for OpenID login only that has one field for the user to enter their url. Does anyone see a problem with this?
I'm now stuck trying to figure out what to do about creating user accounts, user names, email address, etc. First of all, It doesn't seem that a URL is a valid drupal username. Ideally, when a user name is displayed for an OpenID user, it would appear as a hyperlinked URL. Second, it appears that an email address is required. I suppose that could be resolved by prompting the user for an email address when they first use their OpenID.
One thought I had was that I could create a separate database table the maps OpenID to user account. That could allow existing users to associate an openid with their account.
If anyone has any input, it would be greatly appreciated.
Comments
ugly trick
as you might know http://username:password@my.site is a widely used url scheme (despite not valid, the logn part is only for FTP). Omit username:password and get http://@my.site . That is something that Drupal will understand as an external userid.
Caveat: Opera will give you a warning if you click on such a URL. Opera takes security very seriously.
--
Read my developer blog on Drupal4hu.
--
Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.
Thank You
First off, thank you for working on this. I see OpenID as an important contribution that could someday take over Drupal's internal distributed auth system.
To your point, I thought the OpenID Server sent back a handle that you could use to construct a local account with. For example, if you loged in as "bloghost.com/users/brad123" then the server returned a parameter of "Brad".
When I first read the idea of representing users as URLs instead of "user" or "user@host", I was a bit curious how these identities would be integrated into conventional systems. I'm wondering if Drupal's auth mechanism will need to be expanded to accommodate this format.
The url is the handle
The way OpenID is defined, it is intended that the URL be the handle. Otherwise, if something like "Brad" was returned, there would be no guarantee that it wouldn't already be used by someone else on the site.
I think that ideally, different authorization mechanisms would have there own tables that pointed into the global user table. This way, things like passwords and identifiers would be associated with a particular authorization mechanism. Then the user table would just contain a display name.
actually...
we can already make extensive use of the authmap table... yes, i agree that the user@server restriction needs to be lifted (anyone noticed the zcallbacks.module hacking that ldap_integration has had to do??
we may need to augment authmaps slightly, but it's exactly the base we want to build on.
--
James Walker :: Bryght Guy
--
James Walker :: http://walkah.net/
What I have so far
Here is a copy of what I have so far. Currently it just does the OpenID Identity verification and prints out some messages indicating whether it was successful or not. In particular, the "doXXX" methods of the DrupalActionHandler need to actually do something.
Let's have a meeting
We (Bryght) definitely want to support OpenID, perhaps as a secure replacement for Drupal auth, but in general as one of the main open distributed identity mechanisms.
You might want to check out the SXIP module that James created, as it deals with a lot of these same issues. James has been working with a bunch of Jabber stuff that might be related as well, and is in general an expert on those concepts of user/distributed auth stuff.
Perhaps we can have a meeting over Skype or IRC for everyone interested in identity stuff and Drupal? Use my contact form to get in touch. We should also put this on the agenda for the meetings in Amsterdam.
--
Please turn on the "story" type, so we can use it to have an archive of best practices, how tos, and configuration recipes.
I'm happy to help with the
I'm happy to help with the OpenID implementation either in coding, testing or documentation. Just give me a shout when there is some kind of SIG.
It is rather hard to see who is working on this right now.
OpenID Module Add On
Hi, I have been messing with the OpenID module and added a setting for assigning "default roles" to an OpenID registered user.
I have changed the following:
Add the roles to the user on signup (line 309):
Add a function to change the settings:
Add the help text:
Add the menu options:
^^*
Cool beans so far Check out
Cool beans so far
Check out http://iwantmyopenid.org/ - they have bounties going for OpenID support.
openid news
Found OpenID News
I think links located there may be useful for openid beginners ...
---
>MyDrupal