AuthUserOpenId

Summary: Implement single sign-on and Identity mechanism based on OpenID protocol.
Version:
Prerequisites:
Status:
Maintainer: Michael Novak
Discussion: AuthUserOpenId-Talk
Categories: Security

Questions answered by this recipe

How can I implement OpenID Identity on my Wiki site?
NOTE: This recipe is out of date. To work with OpenID 2.0 Federated login systems look at AuthUserFederated

Description

This module integrates OpenID Identity support into your pmwiki. Doesn't require any additonal modules, except curl.

About OpenID

From Wikipedia: OpenID is a simple identification mechanism originally developed by Brad Fitzpatrick of LiveJournal. It is a distributed, decentralized network, in which any user's online identity is given by URL (such as for a blog or a home page) or an XRI (such as an i-name), and can be verified by any server running the protocol. (:Single Sign-on authentication based on OpenID protocol:)

Information about OpenID can be found and following websites:

Notes - Known bugs

  • not compliant with openid 2.0 (such as gmail). Underlying .class.php and AuthForm need to be reworked to embed url to desired OpenID authority (not clear that it even works now with the hard coded openid.com anymore)
  • It is fully working with CleanURL rewrite however I am not sure, how ?n=Page is handled at this moment. It should work, but please email me if not.
  • Author's name is translated from name.myopenid.com to namemyopenidcom - this is due to internal pmwiki code which removes some characters
  • This module removes http and https from user identity when storing in session. This is to simpify user management. Use $DefaultPasswords['edit'] = 'id:steve.myopenid.com'; to control user rights
  • This module may have an issue when wiki is running on https server
  • Doesn't show proper error messages - when Identity is not valid, it should return some nice message

How does it work?

Entire process is very easy for user. The biggest advantage is single sign-on procedure for all your visitors. They register once and then they can log in on multiple websites with just a click.

  1. User enters his OpenID Identity when asked by pmwiki (for example steve.myopenid.com)
  2. Script will retreive OpenID server from his Identity website (using CURL)
  3. User is redirected to OpenID server to approve your site
  4. Once approved, he is sent back to pmwiki
  5. pmwiki checks on the background (HTTP request using CURL) for signature of request to ensure it's signed by authorized server
  6. User is logged in

This is not a Spam protection

If you face spam issues or you think this could be an ultimate solution, please be aware. OpenID is not a spam protection or trust system. It is decentralized single sign-on Identity solution. You should not trust those users more, than you trust your email registered users.

Requirements

  • curl php module

Installation

Copy files:

  • authuseropenid.php
  • authuseropenid.class.php

in to cookbook/ directory

Modify your local/config.php

     $DefaultPasswords['edit'] = 'id:*'; // This will allow all users using AuthUser to edit pages
     include_once("cookbook/authuseropenid.php"); // Must be included before 
     include_once("$FarmD/scripts/authuser.php"); // You may have this one already

Append following form to your Site/AuthForm page

     '''Login with an OpenID:'''\\
     (:input auth_form class=openid_form:)
     (:input text name=openid_url class=openid_login:)
     (:input submit value='OK':)\\
     ''For Example: steve.myopenid.com''
     (:input end:)
     Get an OpenID:
     * [[http://www.myopenid.com|myOpenID.com]]

Append following line to your Site/AuthUser page

     openid://module

OpenID Enabled - CSS Class

Please don't forget to add "OpenID Enabled icon" on your website to let your visitors know about this great feature.

There is also recommended INPUT field CSS class you should use when formating input field. Add following into your stylesheets

input.openid_login {
   background: url(http://openid.net/login-bg.gif) no-repeat;
   background-color: #fff;
   background-position: 0 50%;
   color: #000;
   padding-left: 18px;
}

Release Notes

This module has two parts. One is module itself and second is .class which handles the communication using OpenID protocol.

See Also

  • AuthUser - Parent module required to run this add-on
  • PITS.00784 - Discussion about OpenID implementation

Contributors

Michael Novak

Comments

See discussion at AuthUserOpenId-Talk