Openid service

ping...

thanks heyrocker. Happy coding Xmas!

Good questions, but the session id is only supplied if the openid authentication is successful. Such that user jay@myopenid.com is actually logged into his myopenid.com account.

I am going to setup a bunch of test distributed search sites, for testing purposes.

This is not the case Greg.

It does not just willy nilly return the session id.

Only if you have access through your openid provider to login with that openid, then it will return that session id.

I will provide you more proof shortly.

Some of my rambling thoughts, which may or may not be true. Feel free to provide alternate points of view.

Oauth is not a replacement for openid. Oauth can be used to create the user credentials for an application, such as a photo printing service, that flickr users can access. Or mafia/mobster world access by facebook/twitter users.

However, it is probably better to use OpenID and Oauth in combination, as Google and other players are doing, using a hybrid openid/oauth implementation.
http://googlecode.blogspot.com/2009/05/google-openid-api-taking-next-ste...
http://www.slideshare.net/johnmccrea/what-an-rp-wants

Using drupal as an analogy, where each module is an application, such as book 'application', poll 'application', etc. OpenID is equivalent to the user module. Whereas Oauth is equivalent to the access control / permissions in drupal.

If it where just oauth providing access to each service/application/module, then what I would do in drupal, is create a role for book users, then a role for poll users. I would allow say fb/twitter users who were interested in my handbook, access using oauth, an applying the book role to them. In the same way other fb/twitter users that wanted to access my poll, results or vote, I would through oauth give them access to do so.

When they are on their fb/twitter site, the fb/twitter might know that they have access to my handbook and poll. However, when they are on my drupal site, using the handbook, that user is not necessarily related to the poll user. So they may likely not know anything about each other.

OpenID provides a uniform identifier so that the book user and poll user can be one user reducing duplication, and providing better usability.

Okay, this is very interesting feedback, thank you. I'm not clear at all yet, so I will rehash what I can understand so far.

currently the scenario I was working off from was
Case 1) Distributed search
Site A where user Joe can perform distributed search, is an IdP (OpenID provider), and thus site A gets login credentials for site B, C, D with OpenID authentication (assuming Joe can perform OpenID authentication, by being logged into his IdP site A). This is currently on a working implementation.

Case 2) OpenID toolbar
Site A which is Joe's IdP, lists the RPs that Joe logs into as joe@A. On clicking the RP link on site A, joe@A is logged on to site B with a javascript login, similar to the original posts by Luke Shephard
http://www.sociallipstick.com/2009/02/?y%25/how-to-accept-openid-in-a-po...

Using Oauth instead:
Case 1) Distributed search
Site A, which is Joe's IdP and where Joe uses distributed search, is a oauth client, of sites B, C, D which are all oauth service providers. Not sure how oauth and openid would tie together here.

Case 2) OpenID toolbar
Site A, which is Joe's IdP, lists sites that Joe@A has logged onto, and uses oauth to authenticate the user to login automatically to sites B, C, D.

I guess, I seem to be leaning on the facebook way of doing things;
http://iiw.idcommons.net/Why_Facebook_doesn%27t_implement_OAuth_today
"It takes only two HTTP requests to get a user session in Javascript and start making API calls. With vanilla OAuth, it takes four HTTP requests - two on the server, and two on the client."

The openid service calls user_authenticate_finalize which invokes hook_login.

In openid.module function openid_login_validate() calls openid_begin() which will ask the user to login to their OpenID provider and ask to allow the drupal site access, etc.

If the user does not have login credentials to the OpenID provider, they will not gain login to the drupal site.

I have to say, I need clarification on this:

So logging in with a google openid to a drupal site could result in authorization of access to the google api. Services is only about providing API:s not consuming them so it would only be the reverse that's interesting for us - giving oauth authorization as part of a user logging in to a third party site with an openid provided by a Drupal site.

AFAIK, logging in with a google OpenID to a drupal site, would not result in authorization of access to the Google API, that requires OpenID and Oauth together. The user access to Google occurred when on the client side, the user logged in to Google, as a proviso to use Google as an OpenID provider.

Comparing to Google is a different ball game, because definitely Google would be the OpenID provider as well as the Oauth service provider. Because usually a single drupal site compared to Google is like David and Goliath, where the drupal site is dependent on Google for access to information, etc.

However in the case of distributed search, where each site is more or less equal to each other, and not one site more of a repository than the other, making each site to be an Oauth service provider for the other adds a layer of complexity that just doesn't make sense to me, as I'm dealing with a trusted network of sites, that are on the same playing field.

The statement

The proposed service is a security risk. To log a user in based on the caller knowing the openid url is about as secure as granting someone access because they know my email.

is simply and painfully not true, because as I mention above it will run through functions openid_login_validate() and openid_begin().

Think about if you type in my openid url into a drupal openid. Just because you know a person's openid, and type it into the login box, does that mean that you will automatically gain access to the drupal site? The answer is obviously not. Because, if it were the case, then there would not be openid module in core.

Please give me a chance to chat with you and other nay sayers, I am sorry I missed the irc chat a week ago. When are you meeting next?

I mean I am happy to close this patch and just maintain a separate project if there is so much fuss about it.

However, I don't think that decision should be made based on an incorrect assumption.

OpenID can be confusing, and it can be scary because of the seemingly lack of dependence on a password. However, the password stage is moved from each individual site, to the OpenID server. The authentication still exists, a password (or infocard) is still needed to login to the OpenID server.

Yes, it is true, that if your password to the OpenID server is compromised, then that person can access all your sites that you have authenticated with your OpenID url. This is part and parcel of the OpenID technology. The extent of damage is larger if a person knows your OpenID username and password to the OpenID server, because now they can login to all sites B, C, D that you used to login as joe.myopenid.com.

The choice to enable OpenID on sites, or for users to use OpenID is a personal and individual one, that 'Joe' has to consider as to balancing the convenience of OpenID with someone getting his OpenID server password. However if Joe uses the same password for logging into sites A,B,C,D when not using OpenID, then the same effect would follow anyway.

However, just knowing your OpenID username does not grant a person access to sites B,C,D, because the OpenID server will return to the drupal site, whether you have access or not. If Joe is not logged into their OpenID server, then the response to the drupal site will be false, and Joe will not be logged into the drupal site.

Okay, maybe I missed something.

I was so sure that distributed search results are not returned when the user is not logged into their OpenID provider. However, I have to prove it to myself whether this is true or not.

The best thing for me to do is to test this again, and maybe setup some publicly available test sites.

Not at all. You are all very right, and I am very incredibly mistaken.

I must have been dreaming, to have thought I had properly tested this, and that it would go through the openid authentication IdP each time before returning the session id.

I apologize for all this misunderstanding, and taking your time.

I have created an issue to webmasters to remove openid_service.
http://drupal.org/node/699352

I am sorry for all this trouble.