Ticket #12182 (closed PLIP: wontfix)

Opened 5 years ago

Last modified 4 years ago

Extend OpenID support to include Simple Registration

Reported by: davidblewett Owned by: davisagli
Priority: minor Milestone: 4.3
Component: OpenID support Version: 4.1
Keywords: openid sreg unsupported Cc: dokai, eleddy, ned14

Description (last modified by cewing) (diff)

Proposer: David Blewett
Seconder: Cris Ewing

Motivation

Currently, the combination of plone.openid and plone.app.openid results in users being able to successfully login to Plone. However, the Plone users created by this process are very bare-bones. The only information available is the identity URL of the successfully-authenticated user (i.e.: http://www.google.com/profiles/david.blewett ).

There is a  Simple Registration extension to OpenID that provides a way to request additional profile information regarding the authenticated user (should they allow it). This information includes: nickname, email, fullname, date of birth, gender, postal code, country, language and timezone.

Assumptions

Because this is an extension, however, and not part of the core standard, there is a chance that the users' desired upstream OpenID server does not support it.

There is a more sophisticated method called  Attribute Exchange, but Simple Registration has been around for longer and is likely supported by most existing OpenID servers.

Proposal & Implementation

This PLIP would add support for this extension by adding an option to the plugin that is added to acl_users. If the option is enabled, we would request all of the available fields when authenticating. When the response is received, we would update the Plone user's profile with the returned data.

Deliverables

  • plone.openid updated to optionally request and store returned profile information
    • unit tests covering requesting/storing
  • plone.openid would be able to fully support the IUserEnumerationPlugin interface when use_simple_registration is enabled
    • unit tests covering exact_match, sort_by and max_results
  • plone.app.openid updated to retrieve stored info and update the Plone user profile with it
    • unit tests covering updating the profile
  • Documentation regarding activating the feature and what to expect

Risks

There is a risk that if the upstream OpenID server does not support this extension, it could error out and make the authentication process fail. This would be mitigated by the feature being optional, with the default to be disabled.

If the feature is enabled, it will update the Plone user profile after each successful authentication with the fields the user allows the upstream OpenID server to return (which can contain any info the user likes).

During implementation, it was discovered that currently plone.openid emits the raw identity URL. This caused issues where Plone was trying to traverse due to the / characters in the username. Currently, it seems Plone sidesteps the issue by explicitly looking for request variables (instead of relying completely on traversal).

Participants

David Blewett, davidblewett

Progress

The functionality is mostly implemented in branches of plone.openid and plone.app.openid:

Change History

comment:1 Changed 5 years ago by cewing

  • Description modified (diff)

comment:2 Changed 5 years ago by dokai

  • Cc dokai added

FWIW, I worked on both SREG and AX support for plone.openid some time ago in  https://github.com/dokai/plone.openid. The SREG support was based on work done originally by Matthew Wilkes.

One thing thing came up during that was the currently available release of python-openid (2.2.5) has a bug in the way it deals with 8-bit characters with SREG/AX. Github currently has a fair number of forks with varying number of changes but I made a fork of python-openid which simply contains the fixes for these issues at  https://github.com/dokai/python-openid. For a fully functional SREG/AX implementation it may be necessary to use a patched version of the library (unless one is already made available).

comment:3 Changed 5 years ago by eleddy

approved for 4.3. please let us know when this is ready for review!

comment:4 Changed 5 years ago by eleddy

  • Cc eleddy added

btw I (eleddy) will be your plip champion - hit me with any questions.

comment:5 follow-up: ↓ 6 Changed 4 years ago by ned14

  • Cc ned14 added

I welcome the above new functionality. I appreciate that what I am about to say is somewhat off-topic, but while we're improving OpenID support, couldn't we make the OpenID login UI considerably more user friendly?

Most contemporary websites with OpenID login support have a single clickable image e.g. stackoverflow, so if you want to login via Google you click the Google image, or via Yahoo you click the Yahoo image. I see no reason why Plone cannot have the same.

I patched in the javascript openid-selector library to the existing OpenID system and my instructions are detailed at  http://www.nedproductions.biz/wiki/replacing-plones-openid-login-with-an-openid-selector-for-google-yahoo-etc. It was remarkably trivial to implement actually. If javascript is unavailable, the old UI appears unmodified.

I assume that this improved UI would require a new PLIP, but there are obvious consequences on this PLIP. I thought it best to ask here first.

Thanks,
Niall

comment:6 in reply to: ↑ 5 Changed 4 years ago by ned14

Replying to ned14:

I welcome the above new functionality. I appreciate that what I am about to say is somewhat off-topic, but while we're improving OpenID support, couldn't we make the OpenID login UI considerably more user friendly?

For reference, I have finished patching v2.1 of the OpenID module to include the OpenID selector UI. You can find the new patch and config instructions at  http://www.nedproductions.biz/wiki/replacing-plones-openid-login-with-an-openid-selector-for-google-yahoo-etc.

BTW, I found turning on Simple Registration in acl_users causes openid logins to silently fail. I assume this is known.

Also, I understand from the web that sreg isn't supported by Google, only AX. That's a fairly major fail for just having sreg support alone. python.openid appears to support AX just fine though, so I can't see any reason why sreg and AX can't both be requested and an appropriate set of user info attributes be chosen from the returned data. BTW, google won't return fullname via AX, only  http://axschema.org/namePerson/first and  http://axschema.org/namePerson/last (source:  http://stackoverflow.com/questions/1956522/retrieve-openid-ax-attributes-from-google-yahoo-in-rails)

Niall

comment:7 Changed 4 years ago by eleddy

any updates/questions on this plip? We are asking people to finish up implementation and be ready for review the first week in January. Thanks!

comment:8 Changed 4 years ago by jonstahl

  • Version set to 4.1
  • severity set to Untriaged

Ned, I love your UI updates, I would love to see a PLIP on this, or an updated version of this PLIP.

comment:9 Changed 4 years ago by eleddy

  • Keywords unsupported added
  • Status changed from new to closed
  • Resolution set to wontfix
Note: See TracTickets for help on using tickets.