Wiki

User Tools

  • Logged in as: anonymous (anonymous)
  • Log Out

Site Tools

Trace:
mantisbt:issue:8199

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
mantisbt:issue:8199 [2008/02/05 02:48] – Added link to Zend framework. vboctormantisbt:issue:8199 [2008/10/29 04:36] (current) – external edit 127.0.0.1
Line 1: Line 1:
 +====== OpenId Authentication Requirements ======
  
 +   * **Author**: NT
 +   * **Status**: Draft 
 +   * **Associated Issue**: http://www.mantisbt.org/bugs/view.php?id=8199
 +
 +
 +
 +===== Introduction =====
 +Allow users to Authenticate themselves using an OpenId provider.
 +
 +Allow users to signup for an account using an OpenId and prepopulate \\ 
 +the signup page with a userid, name and email address supplied by their OpenId profile. 
 +
 +
 +==== Login Flow ====
 +  - Show New Form with Text Box and Sign-in button for OpenIds on ''login_page''.
 +  - Process form with new page ''openid_login''.
 +    * Check openid entered exists on database (and is not blocked).
 +    * use OpenId library to check authorisation (return to page ''openid_complete'').
 +    * any errors go back to ''login_page'' with error message.
 +  - User authenticates on OpenId server.
 +  - Process response from the OpenId server.
 +    * If the user cancelled signin or some error occurred then go back to ''login_page'' with error message. 
 +    * Retrieve the user_id associated with this OpenId from the database.
 +    * Login user to mantis, if fail then back to ''login-page'' (NB api change needed as we have no password).
 +  - Display the page user started login process from or the default home page.
 +    * Complication - need to save the login success page while authorisation is checked.
 +  
 +
 +==== Signup Flow ====
 +
 +  - Show New link on ''login_page'' for signup using OpenId.
 +  - Click link to get ''openid_signup_page''. This is a form for the user to enter their OpenId.
 +  - Process form with new page ''openid_login''.
 +    * Check openid entered does not exist on database.
 +    * use OpenId library to check authorisation (return to page ''openid_complete'').
 +    * request that openid returns ''nickname'', ''fullname'' and ''email''. (and ''avatar'' ?)
 +    * any errors go back to ''openid_signup_page'' with error message.
 +  - User authenticates on OpenId server and (possibly specifies which field values to send back).
 +  - Process response from the OpenId server.
 +    * If the user cancelled signin or some error occurred then go back to ''openid_signup_page'' with error message. 
 +    * Display ''signup_page'' with ''nickname'' and ''email'' values; add extra fields ''fullname'' and ''openid'' (read-only).
 +  - Process ''signup_page'' as normal checking that ''username'' (''nickname'') and ''email'' (?) are not already in use.
 +    * Any errors - reshow ''signup_page'' with appropriate message.
 +    * Add user to database - api change needed to supply ''fullname'' and add an ''mantis_openid_table'' record.
 +
 +==== Reauthentication Flow ====
 +
 +  - Allow the user to enter an OpenId (if they have one)
 +  - Process openid in reauthentication code (change core?
 +    * get and post parameters need to be saved.
 +  - User authenticates on OpenId server.
 +  - Process response from the OpenId server.
 +    * Any errors show reauthenication page with message to let them use userid/password if they wish.
 +  - Dispay page that required authentication.
 +
 +
 +===== Implementation Notes =====
 +
 +  * Use a third party library to implement OpenId support such as the [[http://www.openidenabled.com/php-openid/|PHP OpenID library by JanRain, Inc]].
 +  * Implement as a plug-in
 +  * For security do not use openid uri returned from forms once the user has authenticated, use the value returned from the openid library or one stored in a session. NB do not use cookies either.
 +  * Passing back multiple values returned by the signup request may be easier with a class than with procedural code.  
 +  * ''account_page'' needs to allow a user to add/remove openids.
 +  * should ''manage_user_edit_page'' allow an administrator to add/remove openids for a user ?
 +
 +==== Database Changes ====
 +
 +  * new table  ''mantis_openid_table''
 +    <code>
 +    create table user_openids (
 +    openid_url varchar(255) not null,
 +    primary key (openid_url),
 +    user_id int not null,
 +    index (user_id)
 +    );</code>
 +  * When a row in ''mantis_user_table'' is deleted all associated rows from ''mantis_openid_table'' should also be deleted.
 +
 +==== Configuration ====
 + 
 +  * OpenId library will need to be downloaded and added to php include path.
 +
 +
 +==== Implementation Log ====
 +
 +
 +
 +===== Other Changes =====
 +  * Plugin needs to be a be able to modify login page ([[http://www.mantisbt.org/bugs/view.php?id=8765|Issue 8765]])
 +  * Need event signal when user is deleted ([[http://www.mantisbt.org/bugs/view.php?id=8779|Issue 8779]])
 +  * Need event signal when user is forced to reauthenticate.
 +
 +
 +
 +
 +
 +
 +===== Notes =====
 +Is the JanRain library the best one to use? \\ 
 +JanRain libraries seem popular in the php and python communities,\\  
 +but in the java world the Acegi Spring security project developers have replaced JanRain with \\ 
 +OpenId4Java (see http://raykrueger.blogspot.com/2007/05/update-acegi-and-openid.html).
 +
 +
 +===== Feedback =====
 +  * [vboctor] I totally support the integration of open id in Mantis and as soon as we have a stable requirements and contributed implementation, it will go into Mantis 1.2.x branch.
 +  * [vboctor] Do we really need to treat signup as a separate scenario from login?  Can't we have the user login and if not existing, then auto-signup?
 +  * [vboctor] There should be a configuration option to enable / disable open id.
 +  * * [NT]    To be handled by enabling / disabling the plugin-in.
 +  * [vboctor] If the allow signup configuration option is disabled, then it shouldn't be possible to signup using open id.
 +  * [vboctor] Specify the db schema changes involved.
 +  * [vboctor] Provide some sample open id providers (e.g. myopenid and yahoo/gmail when they finalize their support).
 +  * [vboctor] Do we need to support a mode where an admin can configure Mantis to only allow OPEN ID login/signup?
 +  * [vboctor] If a user is already logged in using his/her open id, what will happen when they go to Mantis (i.e. describe single sign-on scenario).
 +  * [vboctor] I haven't checked the license / quality of the suggested open id for PHP library.
 +  * * [NT]    Licensed under the [[http://www.apache.org/licenses/LICENSE-2.0|Apache Software License]].
 +  * [vboctor] giallu directed me to [[http://framework.zend.com/manual/en/zend.openid.html|OpenID support by Zend Framework]].
CC Attribution-Noncommercial-Share Alike 4.0 International Driven by DokuWiki