Security Token did not match. Possible CSRF attack.
mantisbt:issue:8199
Table of Contents
OpenId Authentication Requirements
- Author: NT
- Status: Draft
- Associated Issue: http://www.mantisbt.org/bugs/view.php?id=8199
Introduction
Allow users to Authenticate themselves using an OpenId provider.
Allow users to signup for an account using an OpenId and prepopulate
the signup page with a userid, name and email address supplied by their OpenId profile.
Login Flow
- Show New Form with Text Box and Sign-in button for OpenIds on
login_page
. - Process form with new page
openid_login
.- Check openid entered exists on database (and is not blocked).
- use OpenId library to check authorisation (return to page
openid_complete
). - any errors go back to
login_page
with error message.
- User authenticates on OpenId server.
- Process response from the OpenId server.
- If the user cancelled signin or some error occurred then go back to
login_page
with error message. - Retrieve the user_id associated with this OpenId from the database.
- Login user to mantis, if fail then back to
login-page
(NB api change needed as we have no password).
- Display the page user started login process from or the default home page.
- Complication - need to save the login success page while authorisation is checked.
Signup Flow
- Show New link on
login_page
for signup using OpenId. - Click link to get
openid_signup_page
. This is a form for the user to enter their OpenId. - Process form with new page
openid_login
.- Check openid entered does not exist on database.
- use OpenId library to check authorisation (return to page
openid_complete
). - request that openid returns
nickname
,fullname
andemail
. (andavatar
?) - any errors go back to
openid_signup_page
with error message.
- User authenticates on OpenId server and (possibly specifies which field values to send back).
- Process response from the OpenId server.
- If the user cancelled signin or some error occurred then go back to
openid_signup_page
with error message. - Display
signup_page
withnickname
andemail
values; add extra fieldsfullname
andopenid
(read-only).
- Process
signup_page
as normal checking thatusername
(nickname
) andemail
(?) are not already in use.- Any errors - reshow
signup_page
with appropriate message. - Add user to database - api change needed to supply
fullname
and add anmantis_openid_table
record.
Reauthentication Flow
- Allow the user to enter an OpenId (if they have one)
- Process openid in reauthentication code (change core?)
- get and post parameters need to be saved.
- User authenticates on OpenId server.
- Process response from the OpenId server.
- Any errors show reauthenication page with message to let them use userid/password if they wish.
- Dispay page that required authentication.
Implementation Notes
- Use a third party library to implement OpenId support such as the PHP OpenID library by JanRain, Inc.
- Implement as a plug-in
- For security do not use openid uri returned from forms once the user has authenticated, use the value returned from the openid library or one stored in a session. NB do not use cookies either.
- Passing back multiple values returned by the signup request may be easier with a class than with procedural code.
account_page
needs to allow a user to add/remove openids.- should
manage_user_edit_page
allow an administrator to add/remove openids for a user ?
Database Changes
- new table
mantis_openid_table
create table user_openids ( openid_url varchar(255) not null, primary key (openid_url), user_id int not null, index (user_id) );
- When a row in
mantis_user_table
is deleted all associated rows frommantis_openid_table
should also be deleted.
Configuration
- OpenId library will need to be downloaded and added to php include path.
Implementation Log
Other Changes
- Plugin needs to be a be able to modify login page (Issue 8765)
- Need event signal when user is deleted (Issue 8779)
- Need event signal when user is forced to reauthenticate.
Notes
Is the JanRain library the best one to use?
JanRain libraries seem popular in the php and python communities,
but in the java world the Acegi Spring security project developers have replaced JanRain with
OpenId4Java (see http://raykrueger.blogspot.com/2007/05/update-acegi-and-openid.html).
Feedback
- [vboctor] I totally support the integration of open id in Mantis and as soon as we have a stable requirements and contributed implementation, it will go into Mantis 1.2.x branch.
- [vboctor] Do we really need to treat signup as a separate scenario from login? Can't we have the user login and if not existing, then auto-signup?
- [vboctor] There should be a configuration option to enable / disable open id.
- * [NT] To be handled by enabling / disabling the plugin-in.
- [vboctor] If the allow signup configuration option is disabled, then it shouldn't be possible to signup using open id.
- [vboctor] Specify the db schema changes involved.
- [vboctor] Provide some sample open id providers (e.g. myopenid and yahoo/gmail when they finalize their support).
- [vboctor] Do we need to support a mode where an admin can configure Mantis to only allow OPEN ID login/signup?
- [vboctor] If a user is already logged in using his/her open id, what will happen when they go to Mantis (i.e. describe single sign-on scenario).
- [vboctor] I haven't checked the license / quality of the suggested open id for PHP library.
- * [NT] Licensed under the Apache Software License.
- [vboctor] giallu directed me to OpenID support by Zend Framework.
mantisbt/issue/8199.txt · Last modified: 2008/10/29 04:36 by 127.0.0.1