Ticket #12182 (closed PLIP: wontfix)
Extend OpenID support to include Simple Registration
Reported by: | davidblewett | Owned by: | davisagli |
---|---|---|---|
Priority: | minor | Milestone: | 4.3 |
Component: | OpenID support | Version: | 4.1 |
Keywords: | openid sreg unsupported | Cc: | dokai, eleddy, ned14 |
Description (last modified by cewing) (diff)
Proposer: David Blewett
Seconder: Cris Ewing
Motivation
Currently, the combination of plone.openid and plone.app.openid results in users being able to successfully login to Plone. However, the Plone users created by this process are very bare-bones. The only information available is the identity URL of the successfully-authenticated user (i.e.: http://www.google.com/profiles/david.blewett ).
There is a Simple Registration extension to OpenID that provides a way to request additional profile information regarding the authenticated user (should they allow it). This information includes: nickname, email, fullname, date of birth, gender, postal code, country, language and timezone.
Assumptions
Because this is an extension, however, and not part of the core standard, there is a chance that the users' desired upstream OpenID server does not support it.
There is a more sophisticated method called Attribute Exchange, but Simple Registration has been around for longer and is likely supported by most existing OpenID servers.
Proposal & Implementation
This PLIP would add support for this extension by adding an option to the plugin that is added to acl_users. If the option is enabled, we would request all of the available fields when authenticating. When the response is received, we would update the Plone user's profile with the returned data.
Deliverables
- plone.openid updated to optionally request and store returned profile information
- unit tests covering requesting/storing
- plone.openid would be able to fully support the IUserEnumerationPlugin interface when use_simple_registration is enabled
- unit tests covering exact_match, sort_by and max_results
- plone.app.openid updated to retrieve stored info and update the Plone user profile with it
- unit tests covering updating the profile
- Documentation regarding activating the feature and what to expect
Risks
There is a risk that if the upstream OpenID server does not support this extension, it could error out and make the authentication process fail. This would be mitigated by the feature being optional, with the default to be disabled.
If the feature is enabled, it will update the Plone user profile after each successful authentication with the fields the user allows the upstream OpenID server to return (which can contain any info the user likes).
During implementation, it was discovered that currently plone.openid emits the raw identity URL. This caused issues where Plone was trying to traverse due to the / characters in the username. Currently, it seems Plone sidesteps the issue by explicitly looking for request variables (instead of relying completely on traversal).
Participants
David Blewett, davidblewett
Progress
The functionality is mostly implemented in branches of plone.openid and plone.app.openid:
Change History
comment:2 Changed 5 years ago by dokai
- Cc dokai added
FWIW, I worked on both SREG and AX support for plone.openid some time ago in https://github.com/dokai/plone.openid. The SREG support was based on work done originally by Matthew Wilkes.
One thing thing came up during that was the currently available release of python-openid (2.2.5) has a bug in the way it deals with 8-bit characters with SREG/AX. Github currently has a fair number of forks with varying number of changes but I made a fork of python-openid which simply contains the fixes for these issues at https://github.com/dokai/python-openid. For a fully functional SREG/AX implementation it may be necessary to use a patched version of the library (unless one is already made available).
comment:3 Changed 5 years ago by eleddy
approved for 4.3. please let us know when this is ready for review!
comment:4 Changed 5 years ago by eleddy
- Cc eleddy added
btw I (eleddy) will be your plip champion - hit me with any questions.
comment:5 follow-up: ↓ 6 Changed 4 years ago by ned14
- Cc ned14 added
I welcome the above new functionality. I appreciate that what I am about to say is somewhat off-topic, but while we're improving OpenID support, couldn't we make the OpenID login UI considerably more user friendly?
Most contemporary websites with OpenID login support have a single clickable image e.g. stackoverflow, so if you want to login via Google you click the Google image, or via Yahoo you click the Yahoo image. I see no reason why Plone cannot have the same.
I patched in the javascript openid-selector library to the existing OpenID system and my instructions are detailed at http://www.nedproductions.biz/wiki/replacing-plones-openid-login-with-an-openid-selector-for-google-yahoo-etc. It was remarkably trivial to implement actually. If javascript is unavailable, the old UI appears unmodified.
I assume that this improved UI would require a new PLIP, but there are obvious consequences on this PLIP. I thought it best to ask here first.
Thanks,
Niall
comment:6 in reply to: ↑ 5 Changed 4 years ago by ned14
Replying to ned14:
I welcome the above new functionality. I appreciate that what I am about to say is somewhat off-topic, but while we're improving OpenID support, couldn't we make the OpenID login UI considerably more user friendly?
For reference, I have finished patching v2.1 of the OpenID module to include the OpenID selector UI. You can find the new patch and config instructions at http://www.nedproductions.biz/wiki/replacing-plones-openid-login-with-an-openid-selector-for-google-yahoo-etc.
BTW, I found turning on Simple Registration in acl_users causes openid logins to silently fail. I assume this is known.
Also, I understand from the web that sreg isn't supported by Google, only AX. That's a fairly major fail for just having sreg support alone. python.openid appears to support AX just fine though, so I can't see any reason why sreg and AX can't both be requested and an appropriate set of user info attributes be chosen from the returned data. BTW, google won't return fullname via AX, only http://axschema.org/namePerson/first and http://axschema.org/namePerson/last (source: http://stackoverflow.com/questions/1956522/retrieve-openid-ax-attributes-from-google-yahoo-in-rails)
Niall
comment:7 Changed 4 years ago by eleddy
any updates/questions on this plip? We are asking people to finish up implementation and be ready for review the first week in January. Thanks!