Add "my OpenID" as a secondary auth for registered users

RESOLVED WONTFIX

Status

()

Bugzilla
User Accounts
--
enhancement
RESOLVED WONTFIX
10 years ago
6 years ago

People

(Reporter: techtonik, Assigned: Matheus Bastos)

Tracking

Details

Attachments

(3 attachments, 1 obsolete attachment)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9b2) Gecko/2007121120 Firefox/3.0b2
Build Identifier: 

Provide a way to specify custom OpenID in user details to be used for login. Note that this doesn't replace existing user/pass scheme - emails are still used to register, but instead allows to login without remembering the details.


Reproducible: Always

Steps to Reproduce:
1.
2.
3.

Updated

10 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 294608
(Reporter)

Comment 2

10 years ago
Please do not mark this bug as duplicate, but as blocker for #294608, which is too generic to implement.

User account setting for alternate OpenID authentication token is a prerequisite for building OpenID client/consumer. See comment:ticket:294608:1 in aforementioned bug report. 


OpenID implementation of this bugreport is limited to:
1. Provide placeholder for OpenID settings
2. Validate entered OpenID credentials by trying simple login session
3. Ensure that there is 1:1 mapping of OpenID to username in database (or allow multiple accounts with the same OpenID)
4. Add alternative OpenID form to login page
5. For user who entered OpenID query database for username(s) with this OpenID
6. Query OpenID server to make actual authentication
7. Login user (or allow to select account if there are multiple users with the same OpenID registered with different emails)

This all is about OpenID consumer implementation. No server specification so far in contrast to bug 294608.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
(Reporter)

Updated

10 years ago
Blocks: 294608

Comment 3

10 years ago
I agree, this is a valid thing to start with. See my plan in bug 294608 comment 20. 

This bug here would be a good way to start implementing what we need for OpenID auth, without having to implement everything in the comment I referenced above.
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Other → All
Target Milestone: --- → Bugzilla 4.0
Version: unspecified → 3.1.3
(Reporter)

Comment 4

10 years ago
I glad that somebody with Perl/Bugzilla knowledge steps in. Let me explain my vision about accounts generated by OpenID in bug 294608 and concentrate here only on the matters of alternative login implementation.

After revising the above implementation roadmap I would like to make correction to the point 3 as having multiple accounts for the same OpenID don't look like a good idea anymore. More useful approach would be to store multiple OpenIDs for the same account. In case smb. would like to use OpenID that is already registered for another account - an error should be shown with a hint to remove this identifier from an old account.

The DB requirements is one table with "one account" to "multiple OpenID" mapping. Note that OpenID data will likely to include several authentication-specific fields.
(Assignee)

Comment 5

10 years ago
I'm working on it. The Implementation idea is create OpenID functionality that: Can be enabled by configuration parameter. Create one new interface to login. Store the OpenID in the database, we just store on the profile table and in the future this can easily change to another way (this could be add in the changes of the bug 218917). To don’t create conflict with other parts the password and email must be disabled. OpenID users will be created automatically without confirm email at first time and when login in the next time the same profile will be used. If the configuration to create new user is disabled the bugzilla will not create the new user. If the profile of the “Bugzilla OpenID” user is blocked it cannot login.  

Use Case OpenID Log in

Precondition
OpenID authorization is enabled.

Main Scenario
1.	User informs his OpenID identify.
2.	Bugzilla call UC Process OpenID Request and receives needed information.  
3.	With the information the user is redirected to his OpenID identify provider.
4.	Bugzilla receive a call back authentication from User OpenID provider. 
5.	Bugzilla authenticate the user.
5.1	Bugzilla verify if the OpenID identify already exits.
5.2	If don’t exits create new user with all information received from the authentication provider if the system are enabled to create users. 
5.3	Bugzilla verifies if the user email is enabled them disable it.
5.4	Bugzilla create the cookie id and register the session.
6.	User is authenticated and the UC ends.

Alternatives 

If the User inform a empty or invalid OpenID Identify in the step  1:
Bugzilla return an Error Message: Your OpenID is invalid.

If the User informed one valid OpenID Identify but the Provider is unavailable in the step 2: 
Bugzilla return an Error Message: Your OpenID identify has an invalid authentication provider.

If Bugzilla received an invalid callback request in the step 4 or one fault in the step 5:
Bugzilla return an Error Message: I could not conclude your OpenID authentication request.
(Assignee)

Comment 6

10 years ago
Created attachment 325919 [details] [diff] [review]
Sketch

Max, Can you review this?

Updated

10 years ago
Assignee: user-accounts → mtheus
(Assignee)

Updated

10 years ago
Attachment #325919 - Attachment is obsolete: true
(Assignee)

Comment 7

10 years ago
Created attachment 330142 [details] [diff] [review]
Implementation with OpenID-JanRain
(Assignee)

Comment 8

10 years ago
Created attachment 330146 [details]
Readme
(Assignee)

Updated

10 years ago
Attachment #330142 - Flags: review?(mkanat)
(Reporter)

Comment 9

10 years ago
Disabling email and password for OpenID authentication to work is not an option. For the scope of this bugreport OpenID will be useful only as an additional way to login - not as a replacement of existing authentication scheme. It is not necessary to display OpenID anywhere and there is absolutely no need to create new user by OpenID. It is designed solely to make login procedure more convenient for existing users registered with email/pass.

In this regard the workflow should be adjusted a bit. Because we do not create a new user we skip points 5.2, 5.3 and perform step 5.1 (validation if OpenID exists in DB) before step 2 (checking it with OpenID provider). This would also greatly decrease server load in case of bot probing.

That's all from my wishlist. Nice to see we are close to our goal.
Keep up the great work. Hope the your patch will be reviewed soon.
(Assignee)

Comment 10

10 years ago
“additional way to login - not as a replacement” This is not a replacement, this implementation was designed to login with OpenID upon current login mechanism. For this we concern only in provide a basic functionality. 

“for existing users registered with email/pass” is one good question that we prefers wait. See the bug 218917 we are working to create a “unique nick which can be displayed everywhere in place of the usual email address”. If we want to “make login procedure more convenient” and consider the user email is the identify most important we need to confirm it and this no good. We cannot trust in all OpenID authentication provider because the email can be forged. “there is  absolutely no need to create new user by OpenID” if I have one OpenID identify and like to enter on the bugzilla and report any error/feature? I must have one email to do this? Or I need to create one account conform the email associate the OpenID identify to my account type my old password to confirm my wish do logout and login again with my OpenID?
 
(Reporter)

Comment 11

10 years ago
By "additional way" I mean complementary - without disabling email/password. From your comment #5 I understood that bugzilla administrator will have to globally enable either OpenID or email/pass auth, but not both at the same time.

Bug 218917 can be fixed later. It stands for 5 years and there is no need to kill two birds with one stone. I also doubt it is possible to create this unique username without falling back to unhuman number. Better alternative to protect from generic spam bots is proposed in bug 219021

Email is the most important thins for the scope of this bugreport. "registered user" is the one with confirmed email. You need to do it only once and it is good for your spam protection. If you trust users only by their OpenIDs - you put yourself at risk, because spam bots can also act as OpenID providers - it is only a matter of time when they will appear. If there are no known bots now, it is just because OpenID is not so widely used.

> “there is  absolutely no need to create new user by OpenID” if I
> have one OpenID identify and like to enter on the bugzilla and report any
> error/feature? I must have one email to do this? 

Exactly. 99% of people with OpenID have emails, reverse is not true. I'd prefer not to have users without emails, because they won't be able to receive bug notifications and participate in discussion. They are no different from anonymous, so you need captcha instead of OpenID. Cpatcha is easier and less resource intensive to check.

> Or I need to create one 
> account conform the email associate the OpenID identify to my account type my
> old password to confirm my wish do logout and login again with my OpenID?

Only three first steps - create account, confirm email (activate account), associate OpenID (validate it after you've logged in). Association and activation can be done in any order if you wish.

Comment 12

10 years ago
(In reply to comment #11)
Although I appreciate his participation in the discussion, it should be noted (for mtheus's benefit) that techtonik is not a Bugzilla developer (as far as I know).
(Assignee)

Comment 13

10 years ago
Created attachment 330464 [details]
OpenID PrintScreen
(Reporter)

Comment 14

10 years ago
Yes I am not a developer. Just trying to clarify my feature request.

Updated

9 years ago
Attachment #330142 - Flags: review?(mkanat) → review?(wicked)
Duplicate of this bug: 628761
Comment on attachment 330142 [details] [diff] [review]
Implementation with OpenID-JanRain

Let's face it, I'm not going to get to this review. Changing to glob who might be interested in this (if nothing else, as a starting point) since he might going to implement OpenID support eventually.
Attachment #330142 - Flags: review?(wicked) → review?(glob)
Comment on attachment 330142 [details] [diff] [review]
Implementation with OpenID-JanRain

sorry, but i haven't had the time to look at this either.  there's a discussion about making openid supported via an extension on bug 294608.
Attachment #330142 - Flags: review?(glob)
openid support will not be in the bugzilla core; and an extension is now available to provide support for it (see bug 294608 comment 39).
Status: NEW → RESOLVED
Last Resolved: 10 years ago6 years ago
Resolution: --- → WONTFIX

Updated

6 years ago
Target Milestone: Bugzilla 4.4 → ---
You need to log in before you can comment on or make changes to this bug.