Recent Changes - Search:

Cookbook

PmWiki

pmwiki.org

Cookbook /

AuthUserOpenId

Summary: Implement single sign-on and Identity mechanism based on OpenID protocol.
Version:
Prerequisites:
Status:
Maintainer: Michael Novak
Categories: Security

Questions answered by this recipe

How can I implement OpenID Identity on my Wiki site?

Description

This module integrates OpenID Identity support into your pmwiki. Doesn't require any additonal modules, except curl.

About OpenID

From Wikipedia: OpenID is a simple identification mechanism originally developed by Brad Fitzpatrick of LiveJournal. It is a distributed, decentralized network, in which any user's online identity is given by URL (such as for a blog or a home page) or an XRI (such as an i-name), and can be verified by any server running the protocol. (:Single Sign-on authentication based on OpenID protocol:)

Information about OpenID can be found and following websites:

Notes - Known bugs

  • It is fully working with CleanURL rewrite however I am not sure, how ?n=Page is handled at this moment. It should work, but please email me if not.
  • Author's name is translated from name.myopenid.com to namemyopenidcom - this is due to internal pmwiki code which removes some characters
  • This module removes http and https from user identity when storing in session. This is to simpify user management. Use $DefaultPasswords['edit'] = 'id:steve.myopenid.com'; to control user rights
  • This module may have an issue when wiki is running on https server
  • Doesn't show proper error messages - when Identity is not valid, it should return some nice message

How does it work?

Entire process is very easy for user. The biggest advantage is single sign-on procedure for all your visitors. They register once and then they can log in on multiple websites with just a click.

  1. User enters his OpenID Identity when asked by pmwiki (for example steve.myopenid.com)
  2. Script will retreive OpenID server from his Identity website (using CURL)
  3. User is redirected to OpenID server to approve your site
  4. Once approved, he is sent back to pmwiki
  5. pmwiki checks on the background (HTTP request using CURL) for signature of request to ensure it's signed by authorized server
  6. User is logged in

This is not a Spam protection

If you face spam issues or you think this could be an ultimate solution, please be aware. OpenID is not a spam protection or trust system. It is decentralized single sign-on Identity solution. You should not trust those users more, than you trust your email registered users.

Requirements

  • curl php module

Installation

Copy files:

  • authuseropenid.php
  • authuseropenid.class.php

in to cookbook/ directory

Modify your local/config.php 

     $DefaultPasswords['edit'] = 'id:*'; // This will allow all users using AuthUser to edit pages
     include_once("cookbook/authuseropenid.php"); // Must be included before 
     include_once("$FarmD/scripts/authuser.php"); // You may have this one already

Append following form to your Site/AuthForm page 

     '''Login with an OpenID:'''\\
     (:input auth_form class=openid_form:)
     (:input text name=openid_url class=openid_login:)
     (:input submit value='OK':)\\
     ''For Example: steve.myopenid.com''
     (:input end:)
     Get an OpenID:
     * [[http://www.myopenid.com|myOpenID.com]]

Append following line to your Site/AuthUser page 

     openid://module

OpenID Enabled - CSS Class

Please don't forget to add "OpenID Enabled icon" on your website to let your visitors know about this great feature.

There is also recommended INPUT field CSS class you should use when formating input field. Add following into your stylesheets 

input.openid_login {
   background: url(http://openid.net/login-bg.gif) no-repeat;
   background-color: #fff;
   background-position: 0 50%;
   color: #000;
   padding-left: 18px;
}

Release Notes

This module has two parts. One is module itself and second is .class which handles the communication using OpenID protocol.

Comments

This module is under development. Feel free to submit any bugs or suggestions. I am willing to take this into next level, because I love this idea to have one password and log in on multiple sites at once. Please add a comment to this page where we can see this in action!

This script has a problem when $ScriptUrl contains the whole http address of the server and not just the local path. In that case trust_root is set to an unreadable value and an error is reported by the openid server. To correct this edit authuseropenid.php and change $openid->SetTrustRoot('http://' . $_SERVER["HTTP_HOST"] . $ScriptUrl); to 

if (strpos ($ScriptUrl, 'http://') === FALSE) {
    $openid->SetTrustRoot('http://' . $_SERVER["HTTP_HOST"] . $ScriptUrl);
} else {
    $openid->SetTrustRoot($ScriptUrl);
}

Confirming the above. Also worth note that the above fix will not work if your wiki is served over https. A second note- this module uses the identity endpoint as the username, which is possibly undesired behavior, as the endpoint will often have little to say about who the person behind the openid is (note the open-source rails IDP, and how its endpoints simply have the server link rel and brief text saying the function of the url). Optimally, we'd like to see this information about our editors. PeterWoodman May 09, 2007, at 03:39 AM

See Also

  • AuthUser - Parent module required to run this add-on
  • PITS.00784 - Discussion about OpenID implementation

Contributors

Michael Novak

Edit - History - Print - Recent Changes - Search
Page last modified on May 09, 2007, at 03:39 AM