====== OpenId Authentication Requirements ====== * **Author**: NT * **Status**: Draft * **Associated Issue**: http://www.mantisbt.org/bugs/view.php?id=8199 ===== Introduction ===== Allow users to Authenticate themselves using an OpenId provider. Allow users to signup for an account using an OpenId and prepopulate \\ the signup page with a userid, name and email address supplied by their OpenId profile. ==== Login Flow ==== - Show New Form with Text Box and Sign-in button for OpenIds on ''login_page''. - Process form with new page ''openid_login''. * Check openid entered exists on database (and is not blocked). * use OpenId library to check authorisation (return to page ''openid_complete''). * any errors go back to ''login_page'' with error message. - User authenticates on OpenId server. - Process response from the OpenId server. * If the user cancelled signin or some error occurred then go back to ''login_page'' with error message. * Retrieve the user_id associated with this OpenId from the database. * Login user to mantis, if fail then back to ''login-page'' (NB api change needed as we have no password). - Display the page user started login process from or the default home page. * Complication - need to save the login success page while authorisation is checked. ==== Signup Flow ==== - Show New link on ''login_page'' for signup using OpenId. - Click link to get ''openid_signup_page''. This is a form for the user to enter their OpenId. - Process form with new page ''openid_login''. * Check openid entered does not exist on database. * use OpenId library to check authorisation (return to page ''openid_complete''). * request that openid returns ''nickname'', ''fullname'' and ''email''. (and ''avatar'' ?) * any errors go back to ''openid_signup_page'' with error message. - User authenticates on OpenId server and (possibly specifies which field values to send back). - Process response from the OpenId server. * If the user cancelled signin or some error occurred then go back to ''openid_signup_page'' with error message. * Display ''signup_page'' with ''nickname'' and ''email'' values; add extra fields ''fullname'' and ''openid'' (read-only). - Process ''signup_page'' as normal checking that ''username'' (''nickname'') and ''email'' (?) are not already in use. * Any errors - reshow ''signup_page'' with appropriate message. * Add user to database - api change needed to supply ''fullname'' and add an ''mantis_openid_table'' record. ===== Implementation Notes ===== * Use a third party library to implement OpenId support such as the [[http://www.openidenabled.com/php-openid/|PHP OpenID library by JanRain, Inc]]. * Implement as a plug-in * For security do not use openid uri returned from forms once the user has authenticated, use the value returned from the openid library or one stored in a session. NB do not use cookies either. * Passing back multiple values returned by the signup request may be easier with a class than with procedural code. * ''account_page'' needs to allow a user to add/remove openids. * should ''manage_user_edit_page'' allow an administrator to add/remove openids for a user ? ==== Database Changes ==== * new table ''mantis_openid_table'' create table user_openids ( openid_url varchar(255) not null, primary key (openid_url), user_id int not null, index (user_id) ); * When a row in ''mantis_user_table'' is deleted all associated rows from ''mantis_openid_table'' should also be deleted. ==== Configuration ==== * OpenId library will need to be downloaded and added to php include path. ==== Implementation Log ==== ===== Other Changes ===== ===== Notes ===== Is the JanRain library the best one to use? \\ JanRain libraries seem popular in the php and python communities,\\ but in the java world the Acegi Spring security project developers have replaced JanRain with \\ OpenId4Java (see http://raykrueger.blogspot.com/2007/05/update-acegi-and-openid.html). ===== Feedback ===== * Please provide feedback