Drupal 7 port of OpenID Provider

Subscribe. A D7 port would be very useful.

subscribing

Subscribe.

Has anyone started on a port? I would love to start working on this, but I would also like to avoid duplicating efforts.

There are also a few related modules that need to be ported.

Indeed. I don't think anyone is working on this yet.

It's true. I've not begun any work on a D7 port. However, I've upgraded my personal site to D7 and intend to build this out to be "good enough for me" so that I can stop delegating my OpenID elsewhere. No code yet, however.

is somebody working on a port?

I am also in need of this. Since I must make a decision on whether to proceed with Drupal 6 or 7 for the next project we are setting up, and OpenID Provider is a requirement, I had a go on a port of this module. I am completely new to Drupal, I installed it one week ago, and I am trying to learn in a hurry...
I doubt my patches will be up to standard, but they may help the main author to do the job properly :)

I will upload my current version tomorrow. Up to now, most things seem to work, user interface is a little iffy because of the new overlay feature, which the previous code does not cater for, and I dont know enough about the programming model of Drupal to fix this. Also, pathAuto integration is giving me some hard time, especially the "bulk updates". Anyhow, I will post detailed info and source sometime tomorrow.

This is an initial port of openid_provider to Drupal 7 API.
Since this is my first attempt at writing code for Drupal, do not expect much.
I have tested as best as I could, and it seems to work, but this does not say much.
use at your own risk!

You will find a detailed report on the porting, plus some changes/enhancements in the attached file.

attachment seems to have been botched by the system, trying again...

hi mikecar,

what is the vssver.scc file for? i can not open it...

version control, included by mistake. just delete it.
(vss version control file, like cvs)

subscribing

subscribe

will it become a dev release?

subscribe

subscribe

What might be helpful is either a sandbox project or a 7.x-1.x branch so people can post patches for the D7 port.

Thanks,
Chris

Subscribing.

anyone tried to upgrade the osso_relying modules on github ?

would be awesome if these became d.o contrib

https://github.com/developmentseed/osso_relying
https://github.com/developmentseed/osso_relying/issues/1

; KeyAuth 
projects[keyauth][type] = "module" 
projects[keyauth][download][type] = "git" 
projects[keyauth][download][url] = "git://github.com/developmentseed/keyauth.git"

; Open ID 
SSO projects[openid_sso][type] = "module" 
projects[openid_sso][download][type] = "git" 
projects[openid_sso][download][url] = "git://github.com/developmentseed/openid_sso.git"

had a positive github issue exchange with lxbarth regarding the osso modules contributed to d.o and upgraded to D7

anyone else interested in osso as contrib on d.o ?
on a D7 upgrade ?
http://groups.drupal.org/node/140874#comment-490599

btw, just noticed Drupal Gardens has an OpenID Provider

I wonder if its a D6 provider or an unreleased D7 module ? I thought Drupal Gardens was a pioneering D7 site.

If so, whats the ETA for this D7 OpenID_Provider to make its way into open-source ?

https://www.drupalgardens.com/user

<link rel="openid2.provider" href="https://www.drupalgardens.com/openid/provider" /> 
<link rel="openid.server" href="https://www.drupalgardens.com/openid/provider" /> 

of course, being a pleb, I've probably missed something

more
OmniAuth OpenID Single Signon - OpenID - Single Signon Lives (Sorta)
http://groups.drupal.org/node/154879

have also requested a Single Signon Group
Single Signon: OpenID Single Signon, Omniauth, Bakery, Shared Tables etc
http://groups.drupal.org/node/155049

Yes, www.drupalgardens.com is using Drupal 6: http://www.drupalgardens.com/CHANGELOG.txt. All the Drupal Gardens sites themselves run on Drupal 7 though, and we do use the core built-in OpenID client module on all of them. I agree it would be great if a Drupal 7 version of the provider would be available, we have not worked on that at Acquia. Also, if we would have, I'm sure we'd have contributed it.

hi gabor,

thanks for the info.

fyi, there is movement to create a single-signon solution for OpenID, like the Drupal Gardens implementation i.e there is a missing project/module called single signon?

at the moment there seem to be only d.o projects for a D6 OpenID and a OpenID Provider, there is no simplified single signon project on d.o.

Will the Drupal Gardens single-signon solution become GPL or is that special herbs and spices?

a combination that does seem to work is the Dev Seed modules
http://groups.drupal.org/node/140874#comment-518904

Drupal Gardens does not have single signon. We have central user profiles, and we still need users to initiate their logins. We do make the underlying OpenID process seamless, so you don't need to know you are actually using OpenID. This requires augmentation of the OpenID process in various ways some so special that it is not really suitable for release as a generic reusable solution. I'd look at the Development Seed module stack for this on other setups.

Can we stay on topic here? We're looking for patches or volunteers to work on the d7 port. Thanks! :)

@mikecar - can you provide a proper patch for your port?

I'm working on the port base on @mikecar's code. The module is in my sandbox project.

Awesome! Can somebody review/test this? Is it ready at all?

I see that it's still just one big blob - I would rather see this as a patch to the current HEAD so that we can review changes, can you do that?

great, there are also D7 ports for the related companion modules - for OpenID relying parties in D7

OpenID Single Sign On Relying Party - D7 port
http://drupal.org/node/1166510

Here comes the patch based on paranojik's work. I haven't tested yet, but will go on with that now.

It is working for me. Anyway we might want to use Discovery module instead of the deprecated XRDS Simple module. Maybe the Drupal 7 port would be the right occasion to support the new (and not ready) Discovery module.

I have been thinking about implementing this in D6. Does anyone for see any problems upgrading fron d6 to d7?

tracking

*presses the non-existant watch button*

I need this and am happy to test and help debug. Is there a D7.dev ready?

And a recipe to follow? This is video for D6 is helpful: http://vimeo.com/25103388 but I would need to install on some existing sites, preferably without using Features or StrongArm--just install modules, configure modules, and tweak custom code.

Phew, that's a huge patch!

Sorry I took so long to review, I have been very busy...

Overall, I am really happy to see this patch come in. This is great!

Unfortunately, there is some work needed before the patch gets in:

1. there are whitespace changes mixed in with the other changes. please remove whitespace as it makes the patch *really* huge - there are some tricks to easily do this, let me know if you need help
2. there are non-porting changes in the patch, I believe - if those fix compatibility issues, they should be sent in a separate patch! otherwise we'll have fixed in the D7 branch that will not be in the D6 branch! and we *know* we need those fixes, so please split them apart
3. do not remove debugging. that debugging code is very useful to try to figure out why we can't login to site X with the module

I think that covers the thing generally. Some more specific comments on chunks are available below.

+++ b/openid_provider.incundefined
@@ -1,11 +1,6 @@
- * @file
- * Additional functions used bu OpenID 2.0 Provider.
- */
-
-/**
  * Create an association with an RP

Why remove this comment?

+++ b/openid_provider.incundefined
@@ -15,30 +10,33 @@ function openid_provider_association_response($request) {
+  @$dh_modulus = $request['openid.dh_modulus'];
+  @$dh_gen = $request['openid.dh_gen'];

this doesn't seem necessary for the D7 port, is it?

+++ b/openid_provider.incundefined
@@ -15,30 +10,33 @@ function openid_provider_association_response($request) {
-    'expires_in' => $expires_in

please keep whitespace changes separate

+++ b/openid_provider.incundefined
@@ -15,30 +10,33 @@ function openid_provider_association_response($request) {
+  if ($session_type == 'DH-SHA1' ||
+      (($session_type == '' || $session_type == 'no-encryption') && $assoc_type == 'HMAC-SHA1')) {

same, there are other such occurences later in the patch, i will stop here.

+++ b/openid_provider.incundefined
@@ -55,16 +53,23 @@ function openid_provider_association_response($request) {
-  _openid_provider_debug('recorded association (response: <pre>%message</pre>)', array('%message' => $message));

why remove debugging?

+++ b/openid_provider.incundefined
@@ -106,26 +111,10 @@ function openid_provider_authentication_response($request) {
-  /*
-   * according to section 9.1, an empty assoc_handle should make the
-   * 'transaction take place in "Stateless mode"'
-   * https://openid.net/specs/openid-authentication-2_0.html#requesting_authentication
-   *
-   * we do not support this yet: https://drupal.org/node/506530 - this is a
-   * workaround to fix https://drupal.org/node/1158356
-   *
-   * the spec, however, clearly states that responses MUST have that value set,
-   * so we generate a new one if the client didn't provide any
-   */
-  $assoc_handle = $request['openid.assoc_handle'];
-  if (!$assoc_handle) {
-    $assoc_handle = _openid_provider_nonce();
-  }
   $response = array(
     'openid.ns' => OPENID_NS_2_0,
     'openid.mode' => 'id_res',
@@ -134,10 +123,11 @@ function openid_provider_authentication_response($request) {

@@ -134,10 +123,11 @@ function openid_provider_authentication_response($request) {
     'openid.claimed_id' => $identity,
     'openid.return_to' => $request['openid.return_to'],
     'openid.response_nonce' => _openid_provider_nonce(),
-    'openid.assoc_handle' => $assoc_handle,
     'openid.sreg.nickname' => $user->name,
-    'openid.sreg.email' => $user->mail
+    'openid.sreg.email' => $user->mail,
   );
+  if (isset($request['openid.assoc_handle']))
+    $response['openid.assoc_handle'] = $request['openid.assoc_handle'];

this also seems to be unrelated to the d7 port.

+++ b/openid_provider.incundefined
@@ -155,18 +145,15 @@ function openid_provider_authentication_response($request) {
+  if (@$rp->auto_release) {

this is also a whitespace change imho.

+++ b/openid_provider.incundefined
@@ -155,18 +145,15 @@ function openid_provider_authentication_response($request) {
-    unset($_POST);

unrelated to D7 port.

+++ b/openid_provider.incundefined
@@ -200,16 +187,20 @@ function openid_provider_unsolicited_assertion($response, $url) {
+  // _openid_response() expects data in $_SERVER['QUERY_STRING']
   $url .= (strpos('?', $url) ? '&' : '?') . implode('&', $query);
-  $result = drupal_http_request($url, array(), 'GET');
+  $result = drupal_http_request($url, array());

not D7 related.

+++ b/openid_provider.incundefined
@@ -268,12 +259,14 @@ function _openid_provider_dh_xorsecret($shared, $secret, $algo = 'sha1') {
+    $assoc_handle = $request['openid.assoc_handle'];

why the intermediate variable?

it looks to me it will be used later in that function without being defined...

+++ b/openid_provider.incundefined
@@ -288,12 +281,11 @@ function openid_provider_verification_response($request) {
-      'invalidate_handle' => $request['openid.assoc_handle'] // optional, An association handle sent in the request
+      'invalidate_handle' => $assoc_handle // optional, An association handle sent in the request,

i.e. here.

+++ b/openid_provider.incundefined
@@ -328,12 +323,26 @@ function _openid_provider_rp_load($uid, $realm = NULL) {
@@ -360,16 +369,20 @@ function _openid_provider_sign($response) {

@@ -360,16 +369,20 @@ function _openid_provider_sign($response) {
     }
   }
 
-  $signed_keys = array('op_endpoint', 'return_to', 'response_nonce', 'assoc_handle', 'identity', 'claimed_id');
+  $signed_keys = array('op_endpoint', 'return_to', 'response_nonce', 'identity', 'claimed_id');
+  $assoc = NULL;
+  if (isset($response['openid.assoc_handle'])) {
+    $assoc_handle = $response['openid.assoc_handle'];
+    $signed_keys[] = 'assoc_handle';
+
+    // Use the request openid.assoc_handle to look up how this message
+    // should be signed, based on a previously-created association.
+    $assoc = db_query("SELECT * FROM {openid_provider_association} WHERE assoc_handle = :assoc_handle", array(':assoc_handle' => $assoc_handle))->fetchObject();
+  }
+
   $signed_keys = array_merge($signed_keys, module_invoke_all('openid_provider', 'signed', $response));
   $response['openid.signed'] = implode(',', $signed_keys);
 
-  // Use the request openid.assoc_handle to look up
-  // how this message should be signed, based on
-  // a previously-created association.
-  $assoc = db_fetch_object(db_query("SELECT * FROM {openid_provider_association} WHERE assoc_handle = '%s'",
-                                    $response['openid.assoc_handle']));
-
   // Generate signature for this message
   $response['openid.sig'] = _openid_provider_signature($assoc, $response, $signed_keys);
   return $response;

this also doesn't to be D7 related.

+++ b/openid_provider.incundefined
@@ -360,16 +369,20 @@ function _openid_provider_sign($response) {
@@ -382,18 +395,25 @@ function _openid_provider_sign($response) {

@@ -382,18 +395,25 @@ function _openid_provider_sign($response) {
  * @param array $message_array
  * @param array $keys_to_sign
  * @return string
+ *
+ *  modified by mk to allow for null association
  */
 function _openid_provider_signature($association, $message_array, $keys_to_sign) {
   $signature = '';
   $sign_data = array();
   foreach ($keys_to_sign as $key) {
-    if (isset($message_array['openid.'. $key])) {
-      $sign_data[$key] = $message_array['openid.'. $key];
+    if (isset($message_array['openid.' . $key])) {
+      $sign_data[$key] = $message_array['openid.' . $key];
     }
   }
   $message = _openid_create_message($sign_data);
-  $secret = base64_decode($association->mac_key);
-  $signature = hash_hmac($association->assoc_type == 'HMAC-SHA256' ? 'sha256' : 'sha1', $message, $secret, TRUE);
+  if ($association){
+    $secret = base64_decode($association->mac_key);
+    $signature = hash_hmac($association->assoc_type == 'HMAC-SHA256' ? 'sha256' : 'sha1', $message, $secret, TRUE);
+  }
+  else {
+    $signature = hash('sha1',$message,TRUE);
+  }
   return base64_encode($signature);
 }
 

not d7 related, whitespace

+++ b/openid_provider.incundefined
@@ -414,14 +434,3 @@ function _openid_provider_powmod($base, $exp, $mod) {
-
-/**
- * wrapper around the watchdog function
- *
- * this will log to the watchdog only if debugging is enabled
- */
-function _openid_provider_debug($message, $variables = array(), $severity = WATCHDOG_DEBUG, $link = NULL) {
-  if (variable_get('openid_provider_debugging', false)) {
-    watchdog('openid_provider', $message, $variables, $severity, $link);
-  }
-}

please do not remove our debugging code. there are other instances of this, i will stop reporting them here.

+++ b/openid_provider.installundefined
@@ -1,102 +1,84 @@
-    'description' => t('Tracks relying parties a give user has authenticated.'),
+    'description' => 'Tracks relying parties a give user has authenticated.',

is this necessary for the d7 port? just curious :)

+++ b/openid_provider.moduleundefined
@@ -54,39 +54,48 @@ function openid_provider_menu() {
-function openid_provider_perm() {
-  return array('manage own openid sites', 'administer openid provider');
+function openid_provider_permission() {
+  return array(
+    'manage own openid sites' => array(
+      'title' => t('manage own openid sites'),
+      'description' => t('TODO Add a description for \'manage own openid sites\''),
+    ),
+    'administer openid provider' => array(
+      'title' => t('administer openid provider'),
+      'description' => t('TODO Add a description for \'administer openid provider\''),
+    ),
+  );

please implement TODO or drop description

+++ b/openid_provider.moduleundefined
@@ -98,50 +107,169 @@ function openid_provider_sites_access($account) {
+/**
+ * Bulk generate aliases for all Open ID identity paths without aliases.
+ */
+//mk this function is no longer called. some other way is used for bulk updates, which is not documented
+//function openid_provider_pathauto_bulkupdate() {
+//  $query = "SELECT uid, name, source, alias FROM {users} LEFT JOIN {url_alias} ON CONCAT('user/', CAST(uid AS CHAR) ,'/identity') = source WHERE uid > 0 AND source IS NULL";
+//  $result = db_query_range($query,0,50);
+//
+//  $count = 0;
+//  foreach($result as $user) if (_mk_openid_provider_insupd('bulkupdate',$user)) $count++;
+//
+//  drupal_set_message(format_plural($count,
+//    'Bulk generation of OpenID Provider paths completed, one alias generated.',
+//    'Bulk generation of OpenID Provider paths completed, @count aliases generated.'));

hum. not sure why this function is there, commented out - isn't the batch update code just above that...?

+++ b/openid_provider.moduleundefined
@@ -179,28 +307,20 @@ function openid_provider_admin_settings() {
-  $form['openid_provider_debugging'] = array(
-    '#type' => 'checkbox',
-    '#title' => t('Enable debugging'),
-    '#description' => t('This will enable debugging of this module to the watchdog.'),
-    '#default_value' => variable_get('openid_provider_debugging', false),
-  );

please keep debugging! :)

+++ b/openid_provider.pages.incundefined
@@ -19,7 +19,6 @@ function openid_provider_endpoint($request = array()) {
@@ -76,48 +75,48 @@ function openid_provider_send() {

@@ -76,48 +75,48 @@ function openid_provider_send() {
  * @param object $account User account object for the user.
  */
 function openid_provider_sites($account) {
-  drupal_set_title(check_plain($account->name));
+  drupal_set_title($account->name);
   return drupal_get_form('openid_provider_sites_form', $account);
 }

necessary for d7 port? again curious :)

+++ b/openid_provider.pages.incundefined
@@ -76,48 +75,48 @@ function openid_provider_send() {
@@ -128,7 +127,14 @@ function openid_provider_sites_form($form_state, $user = NULL) {

@@ -128,7 +127,14 @@ function openid_provider_sites_form($form_state, $user = NULL) {
  */
 function openid_provider_sites_form_submit($form, &$form_state) {
   foreach ($form_state['values']['auto_release'] as $key => $value) {
-    db_query("UPDATE {openid_provider_relying_party} SET auto_release=%d WHERE rpid=%d", $value, $key);
+    // TODO Please review the conversion of this statement to the D7 database API syntax.
+    /* db_query("UPDATE {openid_provider_relying_party} SET auto_release=%d WHERE rpid=%d", $value, $key) */
+    db_update('openid_provider_relying_party')
+  ->fields(array(
+    'auto_release' => $value,
+  ))
+  ->condition('rpid', $key)
+  ->execute();
   }
   drupal_set_message(t('Settings saved.'));
 }

seems like we should fix this todo

Cool to see this status moving some. It's time to have a D7 openID provider...

do we have a working patch?

Yes, the above patch works.

is the xrds_simple dependency removed or how can it work without a drupal 7 port of the xrds_simple module?

you'll need to use the patch ported version too.

glad to hear the patch works. i'd still like to get a clean version, can anyone rework the patch so it passes the evaluation i submitted above?

thanks.

Here's a cleaned up version of the patch as suggested in #36.

I hope this gets commited soon so we can countinue adding further changes (coding style and features).

i am sorry, but there are still whitespace changes here... example:

+++ b/openid_provider.incundefined
@@ -364,11 +387,10 @@ function _openid_provider_sign($response) {
@@ -424,4 +446,4 @@ function _openid_provider_debug($message, $variables = array(), $severity = WATC

@@ -424,4 +446,4 @@ function _openid_provider_debug($message, $variables = array(), $severity = WATC
   if (variable_get('openid_provider_debugging', false)) {
     watchdog('openid_provider', $message, $variables, $severity, $link);
   }
-}
+}

plus, we'd need to get a tester to push this to RTBC...

thank you for the effort! this is already a great improvement...

Let's try again :).

Alright, this looks great!

Now can anyone third party test this?

The module from @mikecar at #10 work for me. Then I'm totally lost idea how to apply the latest patch. So I don't know how can I test them.

By the way, I have start some modify work on this module about whitelist, which let trusted relying party log-in using OpenID without asking to accept. Is there the way can I send my code for review?

@neizod - glad to see you can test! Try to apply the patch by following those instructions: http://drupal.org/patch/apply

To submit your patches, see http://drupal.org/patch/submit

So I clone the repo at http://drupal.org/project/openid_provider/git-instructions and apply patch from #45. The patch was successfully (with warning: 1 line adds whitespace errors). Then I copy entire directory to /sites/all/module of mother's site and enable it. Go to my child's site and log-in with OpenID. The page was redirect to mother's log-in page as expected. But after I fill in username and password and log-in, I get this error massage:

page: mother.site/openid/provider/continue

Notice: Trying to get property of non-object in openid_provider_authentication_response() (line 170 of /var/www/drupal/sites/all/modules/openid_provider/openid_provider.inc).
Notice: Undefined variable: _POST in drupal_build_form() (line 297 of /var/www/drupal/includes/form.inc).

Then whether I choose Yes-Always or Yes-One. I return to my child's site and found massage: OpenID login failed.

So I go back to mother's site and found furthermore error massage:

page: mother.site/

Notice: Undefined variable: assoc_handle in _openid_provider_sign() (line 393 of /var/www/drupal/sites/all/modules/openid_provider/openid_provider.inc).
Notice: Trying to get property of non-object in _openid_provider_signature() (line 417 of /var/www/drupal/sites/all/modules/openid_provider/openid_provider.inc).
Notice: Trying to get property of non-object in _openid_provider_signature() (line 418 of /var/www/drupal/sites/all/modules/openid_provider/openid_provider.inc).

Good work! Note how git tells you about whitespace differences, this is something that can be fixed in the patch, we don't want to displease git now don't we? ;)

It certainly looks like the patch doesn't actually work, so it seems i need to send the patch back to "needs work" for another pass.

Thank you very much for the testing! It is what makes code solid in the end, keep up the good work.

@neizod thanks for your effort.

I think I managed to catch all problems you mentioned. I can login successfuly on my local install and git is pleased with the patch (no whitespace errors).

Would you be so kind and give it another try? Thanks!

The new one at #51 work. :)

Configure menu missing.

Just wanted to confirm that #51 worked for me so far. Could we have this as an dev release?

please mark working patches as rtbc. :)

i'll try to see if i can get this in soon enough. @paranojik - want to commit this yourself? :)

...sorry for my late response. I was on vacation. Of course I'll be glad to do it.

You know what just happened? I realised I can't actually give others commit access here - i am not the owner of the module. I'll try to commit this myself in the coming week.

hey anarcat, any update on the commit for a dev drop?

I also just tested this and it's working fine. Would love to see this committed as well :-)

Hi guys,

I've got this setup with the patch from #51. However, I'm unable to login to a number of sites using my drupal instance as a provider. For example, stackexchange.com throws a nasty error about a URL mismatch and slashdot.org fails with "Unable to verify with http://specs.openid.net/auth/2.0/identifier_select.". This happens after I've been redirected to my site, authenticated, and confirmed that I want to grant access to the requesting site. I get these errors when the final redirect back to the originating site happens.

People above have said that this is working, but I've been unable to authenticate to any sites using drupal as a provider. Any ideas?

Jay

@jwineinger - please do not confuse the D7 port with the other issues with this module. :) You are suffering from #831162: cannot login on stackoverflow or dotnetopenid sites, testing of that patch would be appreciated­..

Sorry for the delays. I have looked again into this and noticed the master branch was pretty much broken. I have opened an issue about this (#1418232: merge master branch into 6.x-1.x) and started the merge, which was pushed to the repository.

The patch still seems to apply, so I think the next step is to fork 7.x off the 6.x branch and just ignore the master branch from now on... Maybe there's a way to get it deleted?

I have pushed the patch to the 7.x-1.x branch. Before creating a release on it though, I'll try to get the master vs 7.x branch issue sorted out, see #1418254: please delete the master branch on the openid_provider module for followup.

thanks for persisting with this one.

its pretty important plumbing for site networks imho

Hi guys! Great work on this!

I just wanted to let you know that I'm now co-maintaining XRDS Simple, which I use for XRDS documents in OpenID ICAM Extension. I've just added some comment formatting to the old paranojik sandbox code and checked it in as 7.x-1-x.

I will probably just add a README to it and then release it as 7.x-1.0. And from this thread, it looks like that will be just in the nick of time for a release of openid_provider, which I look forward to trying out!

I have released 7.x-1.0-beta1.