OpenID Authentication
This is an open discussion with 56 replies, filed under Extensions.
Search
Thanks, Marco.
So far, here's what I've figured out:
- Logout event
- Added the OpenID data to the parameter pool
- Find the Member ID based on the OpenID email address
So, I'm able to filter the Members section based on the email address. But that's about as far as I've been able to get.
I believe the only thing left is to figure out how to enable role based permissions for events based on the Members extension roles.
What would be the proper way to extend the initialiseMemberObject
method?
That does look wrong. Anyway, that would be great if you had some time to integrate the two!
Here we are Stephen!
I created a new tiny extension that should do the job. Here's the gist.
There's no need to modify the Openid Authentication code, that's why I've created the delegate in the first place, so you are able to build your own auth process on top of the extension.
As always, I don't expect it to be bug free. My test environment was:
- Symphony 2.1.2
- OpenID auth 0.1
- Members fixes branch
Let me know if that works ;)
That's awesome, Marco! It looks like a much more elegant solution than my hack job.
I'll let you know how it goes.
Marco, I've got OpenID working perfectly with Symphony 2.1.2 and the old Members extension.
Now, I'm trying to see whether I can get it working with Symphony 2.2.1 and the Members Beta extension. The strange thing was that updating to Symphony 2.2 seems to have broken the OpenID extension. I wasn't sure if it was just in my local environment, but the same error seems to happen in dev and production.
Fatal error: main() [function.require]: Failed opening required 'Auth/OpenID/Consumer.php' (include_path='.:/usr/local/php5/lib/php') in /Users/stephen/Sites/domain7/team-members/extensions/openid_auth/lib/class.openidhelper.php on line 0
We had to add the following to the .htaccess file so the extension was able to find the required classes:
php_value include_path ".:/usr/share/php:/usr/share/pear:extensions/openid_auth/lib/php-openid"
So, now the issue is that the gist you provided for integration with the old Members extension, of course, does not work with the new extension.
Fatal error: Call to undefined method extension_Members::findmemberidfromemail() in /home/sym/public_html/extensions/members_openid/extension.driver.php on line 34
I suppose I just need to point to a different method in the new Members extension to find the Member ID?
Thanks, Marco. I see you've already fixed the include_path bug. I just hadn't yet pulled that in from my master branch.
I was able to figure out how to modify the extension to integrate the Members extension with the OpenID Authentication extension, with a little help from brendo. This uses our modification to use the Google Apps library.
We found an issue with the php-openid
library added as a submodule to the OpenID Authentication extension. For now, we've added a fix for this as a patch. This can be applied with the following commands:
cd extensions/openid_auth/lib/php-openid git apply ../../OpenID-mod_rewrite.patch
Thank you very much Stephen, your testing is priceless :)
I'll apply your patch soon, looks good to me.
alpacaaa, your extension is priceless :)
I came across an issue with the Configuration class when following the documentation for OpenID Simple Registration: The Configuration class doesn't support array values.
So this causes a fatal error when saving preferences:
'openid-auth' => array( 'sreg-required-fields' => array('fullname', 'dob'), 'sreg-optional-fields' => array('language') ),
So, the documentation and extension should probably be changed to support this instead:
'openid-auth' => array( 'sreg-required-fields' => 'fullname, dob', 'sreg-optional-fields' => 'language' ),
At any rate, I don't actually need to require this data for my current implementation.
Thanks again Stephen.
I should have some time tomorrow to update the README and patch the code accordingly.
I've got around this in the past by exploding/imploding simple arrays, or serialize/unserialize more complex ones (Search Index for example, where I store a large multidimensional array rather than messing around with database tables).
I'll go with the exploding/imploding way, nothing complicated here, just a list of fields.
For those of you using this with the members extension (or can it be used for backend login too?) are you still offering the visitor the option of a 'normal' sign up, ea with double opt in email, as alternative to the openid sign in? Or can you imagine going as far as to direct people who don't have an account with any of the listed providers to a popular provider like myopenid to get an id over there? OT Its correct that you can use google and facebook accoutns for openID but can't login to those with 3th party openids?
Facebook isn't an OpenID provider (as well as Twitter) and that's a shame because it would be pretty cool. Instead, you need a specific authentication implementation for each of these system...
Have you considered something more generic like Janrain?
@ Nick, yes I have
For those of us new to single sign-on, I would like to get some feedback from the more experienced users on their setups.
technology
When I want a single-sign on for my members (vs a traditional site specific login/pw per double opt in email). This simply means members can sign on with one of the accounts they already have at a social webapp like facebook, twitter, linkedin, google,... Although most of them support the openID standard, there is also twitter that works with the openauth standard, and facebook that works with their own facebook connect. In depth here.
this extension
This openID extensions probably covers most apps (anyone tech savvy enough who has a twitter account surely has an google or own openID, right?) but there are people out there who only have a facebook or linkedin account and none that supports openID... So what do I do?
- tell them to get an openid (ea over at myopenid)
- make sure cover all 3 systems
And a uniform single sign on is in place, do I still bother offering a traditional site specific login/pw per double opt in email, as alternative, or just tell visitors to get an openid (ea over at myopenid)
Interestingly you can hook your google account to your facebook at facebook, but its not real openID. Can you sign into a google account with an openID from ea myopenID?
cover all 3 systems
So either I must extend this extension, or use other extensions to supplement it to support openauth en facebook connect. Just like stackoverflow also handles facebook on top of openID Any readymade php libraries out there for connect and openauth? There has been done work in integrating all 3 in drupal
All in all integrating these 3 , and whatever comes next might not be trivial, so why not go for a universal system:
universal
There are some commercial products who offer free versions with only the sign-on:
janrain
Janrain Engage is a set of widgets and backend technology to support a variety of identity providers who may be authenticating through various flavors of openid and oauth. Shielding you from implementing the protocols required to support the over 20 identity providers that Janrain supports. source
Janrain's free Basic service allows up to 2500 unique registered users to sign in annually. Accommodating more users requires an upgrade to one of their paid service tiers. source
anyone integrated janrain in symphony, its a drop in snippet, or would require an extensions? resources
simpleauth
should be unlimited free
gigya
do they have a free version?
other logins
Unfortunately there is no way to use amazon payments, paypal, ebay login data? That would come in handy for ecommerce...(apple id, not gonna happen...)
Was not aware of simpleauth, looks good!
As you said, integrating platform specific code (for facebook, twitter etc..) wouldn't be that hard, it's just I don't completely agree with these kind of policies.
Create an account or sign in to comment.
I wasn't aware of the bug with google apps, thanks for your fix Stephen!
Simply delete the cookie. Create a new event and use something like this:
You may want to tweak events' priority to make sure it triggers before anything else.
To integrate this extension with Members, I guess you'd need to extend
initialiseMemberObject
.This approach has some security flaws in that someone could hijack his openid cookie and login as someone else, but I guess it won't be a problem in an intranet app.