User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9b2) Gecko/2007121120 Firefox/3.0b2 Build Identifier: Provide a way to specify custom OpenID in user details to be used for login. Note that this doesn't replace existing user/pass scheme - emails are still used to register, but instead allows to login without remembering the details. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Please do not mark this bug as duplicate, but as blocker for #294608, which is too generic to implement. User account setting for alternate OpenID authentication token is a prerequisite for building OpenID client/consumer. See comment:ticket:294608:1 in aforementioned bug report. OpenID implementation of this bugreport is limited to: 1. Provide placeholder for OpenID settings 2. Validate entered OpenID credentials by trying simple login session 3. Ensure that there is 1:1 mapping of OpenID to username in database (or allow multiple accounts with the same OpenID) 4. Add alternative OpenID form to login page 5. For user who entered OpenID query database for username(s) with this OpenID 6. Query OpenID server to make actual authentication 7. Login user (or allow to select account if there are multiple users with the same OpenID registered with different emails) This all is about OpenID consumer implementation. No server specification so far in contrast to bug 294608.
I agree, this is a valid thing to start with. See my plan in bug 294608 comment 20. This bug here would be a good way to start implementing what we need for OpenID auth, without having to implement everything in the comment I referenced above.
I glad that somebody with Perl/Bugzilla knowledge steps in. Let me explain my vision about accounts generated by OpenID in bug 294608 and concentrate here only on the matters of alternative login implementation. After revising the above implementation roadmap I would like to make correction to the point 3 as having multiple accounts for the same OpenID don't look like a good idea anymore. More useful approach would be to store multiple OpenIDs for the same account. In case smb. would like to use OpenID that is already registered for another account - an error should be shown with a hint to remove this identifier from an old account. The DB requirements is one table with "one account" to "multiple OpenID" mapping. Note that OpenID data will likely to include several authentication-specific fields.
I'm working on it. The Implementation idea is create OpenID functionality that: Can be enabled by configuration parameter. Create one new interface to login. Store the OpenID in the database, we just store on the profile table and in the future this can easily change to another way (this could be add in the changes of the bug 218917). To don’t create conflict with other parts the password and email must be disabled. OpenID users will be created automatically without confirm email at first time and when login in the next time the same profile will be used. If the configuration to create new user is disabled the bugzilla will not create the new user. If the profile of the “Bugzilla OpenID” user is blocked it cannot login. Use Case OpenID Log in Precondition OpenID authorization is enabled. Main Scenario 1. User informs his OpenID identify. 2. Bugzilla call UC Process OpenID Request and receives needed information. 3. With the information the user is redirected to his OpenID identify provider. 4. Bugzilla receive a call back authentication from User OpenID provider. 5. Bugzilla authenticate the user. 5.1 Bugzilla verify if the OpenID identify already exits. 5.2 If don’t exits create new user with all information received from the authentication provider if the system are enabled to create users. 5.3 Bugzilla verifies if the user email is enabled them disable it. 5.4 Bugzilla create the cookie id and register the session. 6. User is authenticated and the UC ends. Alternatives If the User inform a empty or invalid OpenID Identify in the step 1: Bugzilla return an Error Message: Your OpenID is invalid. If the User informed one valid OpenID Identify but the Provider is unavailable in the step 2: Bugzilla return an Error Message: Your OpenID identify has an invalid authentication provider. If Bugzilla received an invalid callback request in the step 4 or one fault in the step 5: Bugzilla return an Error Message: I could not conclude your OpenID authentication request.
Disabling email and password for OpenID authentication to work is not an option. For the scope of this bugreport OpenID will be useful only as an additional way to login - not as a replacement of existing authentication scheme. It is not necessary to display OpenID anywhere and there is absolutely no need to create new user by OpenID. It is designed solely to make login procedure more convenient for existing users registered with email/pass. In this regard the workflow should be adjusted a bit. Because we do not create a new user we skip points 5.2, 5.3 and perform step 5.1 (validation if OpenID exists in DB) before step 2 (checking it with OpenID provider). This would also greatly decrease server load in case of bot probing. That's all from my wishlist. Nice to see we are close to our goal. Keep up the great work. Hope the your patch will be reviewed soon.
“additional way to login - not as a replacement” This is not a replacement, this implementation was designed to login with OpenID upon current login mechanism. For this we concern only in provide a basic functionality. “for existing users registered with email/pass” is one good question that we prefers wait. See the bug 218917 we are working to create a “unique nick which can be displayed everywhere in place of the usual email address”. If we want to “make login procedure more convenient” and consider the user email is the identify most important we need to confirm it and this no good. We cannot trust in all OpenID authentication provider because the email can be forged. “there is absolutely no need to create new user by OpenID” if I have one OpenID identify and like to enter on the bugzilla and report any error/feature? I must have one email to do this? Or I need to create one account conform the email associate the OpenID identify to my account type my old password to confirm my wish do logout and login again with my OpenID?
By "additional way" I mean complementary - without disabling email/password. From your comment #5 I understood that bugzilla administrator will have to globally enable either OpenID or email/pass auth, but not both at the same time. Bug 218917 can be fixed later. It stands for 5 years and there is no need to kill two birds with one stone. I also doubt it is possible to create this unique username without falling back to unhuman number. Better alternative to protect from generic spam bots is proposed in bug 219021 Email is the most important thins for the scope of this bugreport. "registered user" is the one with confirmed email. You need to do it only once and it is good for your spam protection. If you trust users only by their OpenIDs - you put yourself at risk, because spam bots can also act as OpenID providers - it is only a matter of time when they will appear. If there are no known bots now, it is just because OpenID is not so widely used. > “there is absolutely no need to create new user by OpenID” if I > have one OpenID identify and like to enter on the bugzilla and report any > error/feature? I must have one email to do this? Exactly. 99% of people with OpenID have emails, reverse is not true. I'd prefer not to have users without emails, because they won't be able to receive bug notifications and participate in discussion. They are no different from anonymous, so you need captcha instead of OpenID. Cpatcha is easier and less resource intensive to check. > Or I need to create one > account conform the email associate the OpenID identify to my account type my > old password to confirm my wish do logout and login again with my OpenID? Only three first steps - create account, confirm email (activate account), associate OpenID (validate it after you've logged in). Association and activation can be done in any order if you wish.
(In reply to comment #11) Although I appreciate his participation in the discussion, it should be noted (for mtheus's benefit) that techtonik is not a Bugzilla developer (as far as I know).
Yes I am not a developer. Just trying to clarify my feature request.
Comment on attachment 330142 [details] [diff] [review] Implementation with OpenID-JanRain Let's face it, I'm not going to get to this review. Changing to glob who might be interested in this (if nothing else, as a starting point) since he might going to implement OpenID support eventually.
Comment on attachment 330142 [details] [diff] [review] Implementation with OpenID-JanRain sorry, but i haven't had the time to look at this either. there's a discussion about making openid supported via an extension on bug 294608.
openid support will not be in the bugzilla core; and an extension is now available to provide support for it (see bug 294608 comment 39).