2014-12-20 11:30 EST

View Issue Details Jump to Notes ] Wiki ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0008199mantisbtauthenticationpublic2014-11-13 03:50
Reporterekylin 
Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
StatusResolutionreopened 
Product Version1.2.3 
Target VersionFixed in Version 
Summary0008199: Add Open ID support
DescriptionHope a feature to support openid?
TagsNo tags attached.
Attached Files
  • txt file icon requirements.txt (4,263 bytes) 2007-12-29 17:05 - 
    ====== OpenId Authentication Requirements ======
    
       * **Author**: NT
       * **Status**: Draft 
       * **Associated Issue**: http://www.mantisbt.org/bugs/view.php?id=8199
    
    
    
    ===== Introduction =====
    Allow users to Authenticate themselves using an OpenId provider.
    
    Allow users to signup for an account using an OpenId and prepopulate \\ 
    the signup page with a userid, name and email address supplied by their OpenId profile. 
    
    
    ==== Login Flow ====
      - Show New Form with Text Box and Sign-in button for OpenIds on ''login_page''.
      - Process form with new page ''openid_login''.
        * Check openid entered exists on database (and is not blocked).
        * use OpenId library to check authorisation (return to page ''openid_complete'').
        * any errors go back to ''login_page'' with error message.
      - User authenticates on OpenId server.
      - Process response from the OpenId server.
        * If the user cancelled signin or some error occurred then go back to ''login_page'' with error message. 
        * Retrieve the user_id associated with this OpenId from the database.
        * Login user to mantis, if fail then back to ''login-page'' (NB api change needed as we have no password).
      - Display the page user started login process from or the default home page.
        * Complication - need to save the login success page while authorisation is checked.
      
    
    ==== Signup Flow ====
    
      - Show New link on ''login_page'' for signup using OpenId.
      - Click link to get ''openid_signup_page''. This is a form for the user to enter their OpenId.
      - Process form with new page ''openid_login''.
        * Check openid entered does not exist on database.
        * use OpenId library to check authorisation (return to page ''openid_complete'').
        * request that openid returns ''nickname'', ''fullname'' and ''email''. (and ''avatar'' ?)
        * any errors go back to ''openid_signup_page'' with error message.
      - User authenticates on OpenId server and (possibly specifies which field values to send back).
      - Process response from the OpenId server.
        * If the user cancelled signin or some error occurred then go back to ''openid_signup_page'' with error message. 
        * Display ''signup_page'' with ''nickname'' and ''email'' values; add extra fields ''fullname'' and ''openid'' (read-only).
      - Process ''signup_page'' as normal checking that ''username'' (''nickname'') and ''email'' (?) are not already in use.
        * Any errors - reshow ''signup_page'' with appropriate message.
        * Add user to database - api change needed to supply ''fullname'' and add an ''mantis_openid_table'' record.
    
    
    
    ===== Implementation Notes =====
    
      * Use a third party library to implement OpenId support such as the [[http://www.openidenabled.com/php-openid/|PHP OpenID library by JanRain, Inc]].
      * Implement as a plug-in
      * For security do not use openid uri returned from forms once the user has authenticated, use the value returned from the openid library or one stored in a session. NB do not use cookies either.
      * Passing back multiple values returned by the signup request may be easier with a class than with procedural code.  
      * ''account_page'' needs to allow a user to add/remove openids.
      * should ''manage_user_edit_page'' allow an administrator to add/remove openids for a user ?
    
    ==== Database Changes ====
    
      * new table  ''mantis_openid_table''
        <code>
        create table user_openids (
        openid_url varchar(255) not null,
        primary key (openid_url),
        user_id int not null,
        index (user_id)
        );</code>
      * When a row in ''mantis_user_table'' is deleted all associated rows from ''mantis_openid_table'' should also be deleted.
    
    ==== Configuration ====
     
      * OpenId library will need to be downloaded and added to php include path.
    
    
    ==== Implementation Log ====
    
    
    ===== Other Changes =====
    
    
    
    
    
    
    ===== Notes =====
    Is the JanRain library the best one to use? \\ 
    JanRain libraries seem popular in the php and python communities,\\  
    but in the java world the Acegi Spring security project developers have replaced JanRain with \\ 
    OpenId4Java (see http://raykrueger.blogspot.com/2007/05/update-acegi-and-openid.html).
    
    ===== Feedback =====
      * Please provide feedback
    txt file icon requirements.txt (4,263 bytes) 2007-12-29 17:05 + 
  • patch file icon mantisbt_openid_support.patch (5,922 bytes) 2010-11-12 02:56 - 
    --- config_defaults_inc.php	Thu Nov 11 22:13:18 2010
    +++ config_defaults_inc.php	Fri Nov 12 00:09:52 2010
    @@ -3823,3 +3823,35 @@
     		'anonymous', 'content_expire', 'html_valid_tags', 'custom_headers', 'rss_key_seed', 'plugins_enabled', 'session_', 'form_security_',
     		'compress_html', '_page$', '_url$',
     	);
    +	
    +	/******************
    +	 * OpenID via rpxnow.com (https://rpxnow.com/)
    +	 *******************/
    +
    +	/**
    +	 * Enable/disable open id support.
    +	 */
    +	$g_openid_enabled = OFF;
    +	
    +	/**
    +	 * The RpxNow API key for the site.  Note that each site should be registered separately
    +	 * and get its own api key, otherwise, user logins will be mixed up.  This is because the
    +	 * mapping between the open ids and MantisBT database id is stored in rpxnow.
    +	 */
    +	$g_openid_api_key = '';
    +
    +	/**
    +	 * The name of the site that is registered with rpxnow.
    +	 */
    +	$g_openid_site_name = '';
    +
    +	/**
    +	 * Indicates whether the rpxnow account advanced options are available.
    +	 */
    +	$g_openid_rpxnow_advanced_account = FALSE;
    +
    +
    +	/**
    +	 * Used to disable the SSL verification if rpxnow ssl certificate is not valid.
    +	 */	
    +	$g_openid_ssl_verification_disabled = FALSE;
    --- core.php	Thu Nov 11 22:13:17 2010
    +++ core.php	Thu Nov 11 22:11:48 2010
    @@ -118,6 +118,11 @@
     function __autoload( $className ) {
     	global $g_core_path;
     
    +	# Adjust for non-standard filenames.
    +	if ( $className == 'MantisCoreFormattingPlugin' ) {
    +		$className = 'MantisFormattingPlugin';	
    +	}
    +		
     	$t_require_path = $g_core_path . 'classes' . DIRECTORY_SEPARATOR . $className . '.class.php';
     
     	if ( file_exists( $t_require_path ) ) {
    --- login_page.php	Thu Nov 11 22:13:19 2010
    +++ login_page.php	Thu Nov 11 22:11:48 2010
    @@ -32,6 +32,8 @@
     		print_header_redirect( config_get( 'default_home_page' ) );
     	}
     
    +	$t_core_path = config_get( 'core_path' );
    +
     	$f_error		= gpc_get_bool( 'error' );
     	$f_cookie_error	= gpc_get_bool( 'cookie_error' );
     	$f_return		= string_sanitize_url( gpc_get_string( 'return', '' ) );
    @@ -57,6 +59,8 @@
     		print_header_redirect( $t_uri );
     		exit;
     	}
    +	
    +	$t_open_id_enabled = MantisOpenId::isEnabled();
     
     	# Login page shouldn't be indexed by search engines
     	html_robots_noindex();
    @@ -165,6 +169,15 @@
     	print_signup_link();
     	echo '&nbsp;';
     	print_lost_password_link();
    +	
    +	if ( $t_open_id_enabled ) {
    +		echo '<br /><br /><br />';
    +		echo '<table border="0"><tr>';
    +		echo '<td>', MantisOpenId::getSignInLink( '<img src="images/openid.png" width="50" height="50" border="0" />' ), '</td>';
    +		echo '<td>', MantisOpenId::getSignInLink( lang_get( 'login_using_openid' ) ), '<br /><a href="http://openid.net/get/">', lang_get( 'get_a_new_openid' ), '</a></td>';
    +		echo '</tr></table>';
    +	}
    +	
     	echo '</div>';
     
     	#
    @@ -241,6 +254,12 @@
     		}
     
     	} # if 'admin_checks'
    +?>
    +
    +<?php
    +	if ( $t_open_id_enabled ) {
    +		echo MantisOpenId::getLoginScript();
    +	}
     ?>
     
     <!-- Autofocus JS -->
    --- core/authentication_api.php	Thu Nov 11 22:13:38 2010
    +++ core/authentication_api.php	Fri Nov 12 00:05:05 2010
    @@ -171,14 +171,14 @@
      * true is returned.  If $p_perm_login is true, the long-term
      * cookie is created.
      * @param string $p_username a prepared username
    - * @param string $p_password a prepared password
    + * @param string $p_password a prepared password, or null to bypass password authentication (e.g. open id)
      * @param bool $p_perm_login whether to create a long-term cookie
      * @return bool indicates if authentication was successful
      * @access public
      */
     function auth_attempt_login( $p_username, $p_password, $p_perm_login = false ) {
     	$t_user_id = user_get_id_by_name( $p_username );
    -
    +	
     	$t_login_method = config_get( 'login_method' );
     
     	if ( false === $t_user_id ) {
    @@ -225,8 +225,7 @@
     	# check for anonymous login
     	if( !user_is_anonymous( $t_user_id ) ) {
     		# anonymous login didn't work, so check the password
    -
    -		if( !auth_does_password_match( $t_user_id, $p_password ) ) {
    +		if ( $p_password !== null && !auth_does_password_match( $t_user_id, $p_password ) ) {
     			user_increment_failed_login_count( $t_user_id );
     			return false;
     		}
    --- core/user_api.php	Thu Nov 11 22:13:50 2010
    +++ core/user_api.php	Thu Nov 11 23:01:49 2010
    @@ -650,6 +650,30 @@
     		return $row['id'];
     	}
     }
    +# --------------------
    +# Get list of user ids with the specified email address.  Only enabled users are returned.
    +# returns false if non found, or associative array with key = user id and value = name.
    +function user_get_id_name_map_by_email( $p_email ) {
    +	$t_user_table = db_get_table( 'mantis_user_table' );
    +
    +	$query = "SELECT id, username
    +				  FROM $t_user_table
    +				  WHERE email=" . db_param() .
    +				  " AND enabled = 1";
    +	$result = db_query_bound( $query, array( $p_email ) );
    +
    +	if( 0 == db_num_rows( $result ) ) {
    +		return false;
    +	} else {
    +		$t_user_ids = array();
    +
    +		while ( $row = db_fetch_array( $result ) ) {
    +			$t_user_ids[(integer)$row['id']] = $row['username'];
    +		}
    +
    +		return $t_user_ids;
    +	}
    +}
     
     # Get a user id from an email address
     function user_get_id_by_email( $p_email ) {
    @@ -662,7 +686,8 @@
     
     	$query = "SELECT *
     				  FROM $t_user_table
    -				  WHERE email=" . db_param();
    +				  WHERE email=" . db_param() .
    +				  "ORDER BY access_level DESC";
     	$result = db_query_bound( $query, Array( $p_email ) );
     
     	if( 0 == db_num_rows( $result ) ) {
    --- lang/strings_english.txt	Thu Nov 11 22:14:21 2010
    +++ lang/strings_english.txt	Thu Nov 11 22:11:48 2010
    @@ -700,6 +700,8 @@
     $s_login_button = 'Login';
     $s_signup_link = 'Signup for a new account';
     $s_lost_password_link = 'Lost your password?';
    +$s_login_using_openid = 'Login using Open ID';
    +$s_get_a_new_openid = 'Get a new Open ID';
     
     # login_select_proj_page.php
     $s_select_project_button = 'Select Project';
    
    patch file icon mantisbt_openid_support.patch (5,922 bytes) 2010-11-12 02:56 + 
  • zip file icon new-files.zip (7,094 bytes) 2010-11-12 02:57

- Relationships
parent of 0010013closedvboctor Don't send verification emails for Open Id signups 
has duplicate 0010012closedgrangeway Revise re-authorization for Open ID 
+ Relationships

-  Notes
User avatar

~0015252

vboctor (administrator)

I am willing to accept and integrate a patch for this. However, I would like to have some requirements put together first. The requirements should be a Wiki page that covers the following:

1. What are the Database Changes (e.g. adding the URI)?
2. How will the login page be affected (e.g. adding an alternative form with just URI)?
3. Signup process? (e.g. support both open id signup / Mantis standard signup).
4. What fields are we going to request access to?
5. Are we going to support mixed Mantis/OpenID authentication? I think we should.
6. Configuration Options (e.g. enable/disable)

and so on. If someone is willing to work on detailing these requirements and providing a patch, the core dev team can integrate it.

Note that there is a PHP library that provides easy implementation of open id authentication.
User avatar

~0016522

NT (reporter)

Hi

I am prepared to write a Wiki page detailing a draft of the requirements for OpenId authentication, but I as am unable to add a page to the Wiki.

I have attached my draft Wiki page to this issue.
Could an administrator add this to the Wiki for me if it is suitable.

Thanks
Nick
User avatar

~0016523

giallu (developer)

Done.
User avatar

~0016729

vboctor (administrator)

I've provided some feedback on the requirements wiki page.
User avatar

~0020528

vboctor (administrator)

I've implemented Open ID support based on https://RpxNow.com. [^] I'll need to handle the re-authentication scenario. However, since this scenario is for managers and above, these users can re-authenticate using their MantisBT password for now. Will track this via a separate issue.
User avatar

~0027339

atrol (developer)

The issue is not fixed
http://www.mantisbt.org/forums/viewtopic.php?f=2&t=2757 [^]
http://sourceforge.net/mailarchive/message.php?msg_name=AANLkTi%3DHLXR%2Bk0j57xPYCFnDO8WdP_YuszNmxZ4b-GyL%40mail.gmail.com [^]
User avatar

~0027340

atrol (developer)

Uploaded patches of Olivier Sarrat based on version 1.2.3
User avatar

~0030677

rombert (developer)

I've been looking into the OpenID consumer issue and I believe that the simplest way to implement it would be using LightOpenID ( http://gitorious.org/lightopenid/lightopenid [^] ) .

It is a simple, actively maintained , library and it makes integration with OpenID providers a breeze. The examples shows how to login with Google and generic providers.
User avatar

~0031015

jacky.alcine (reporter)

Is this available in Mantis 1.2.8? I never noticed (and was craving for) this feature.
User avatar

~0031020

rombert (developer)

Nope, not available yet.
+  Notes

+ Related Changesets

- Issue History
Date Modified Username Field Change
2007-07-25 08:34 ekylin New Issue
2007-07-28 03:05 vboctor Note Added: 0015252
2007-07-28 03:05 vboctor Status new => acknowledged
2007-12-29 16:57 NT Note Added: 0016522
2007-12-29 17:05 NT File Added: requirements.txt
2007-12-30 06:17 giallu Note Added: 0016523
2008-01-20 16:41 vboctor Note Added: 0016729
2009-01-04 00:14 vboctor Summary Hope a feature to support openid? => Add Open ID support
2009-01-04 00:20 vboctor Changeset attached master 4a3e1733 =>
2009-01-04 00:20 vboctor Note Added: 0020528
2009-01-04 00:20 vboctor Status acknowledged => resolved
2009-01-04 00:20 vboctor Fixed in Version => git trunk
2009-01-04 00:20 vboctor Resolution open => fixed
2009-01-04 00:20 vboctor Assigned To => vboctor
2009-01-04 01:09 vboctor Relationship added parent of 0010012
2009-01-04 01:09 vboctor Relationship added parent of 0010013
2009-01-04 01:10 vboctor Category authentication => auth openid
2009-01-05 00:19 vboctor Fixed in Version git trunk => 1.2.0a3
2009-01-15 11:25 jreese Status resolved => closed
2009-01-15 16:00 vboctor Changeset attached master c46882af =>
2010-11-12 02:53 atrol Note Added: 0027339
2010-11-12 02:53 atrol Status closed => feedback
2010-11-12 02:53 atrol Resolution fixed => reopened
2010-11-12 02:54 atrol Product Version => 1.2.3
2010-11-12 02:54 atrol Fixed in Version 1.2.0a3 =>
2010-11-12 02:54 atrol Target Version => 1.2.4
2010-11-12 02:56 atrol File Added: mantisbt_openid_support.patch
2010-11-12 02:57 atrol File Added: new-files.zip
2010-11-12 03:01 atrol Note Added: 0027340
2010-12-14 21:05 jreese Target Version 1.2.4 => 1.2.5
2011-04-05 12:25 jreese Target Version 1.2.5 => 1.2.6
2011-07-26 09:53 jreese Target Version 1.2.6 => 1.2.7
2011-08-22 10:49 jreese Target Version 1.2.7 => 1.2.8
2011-09-06 10:33 jreese Target Version 1.2.8 => 1.2.9
2011-12-23 06:51 rombert Note Added: 0030677
2012-01-24 05:30 jacky.alcine Note Added: 0031015
2012-01-24 17:05 rombert Note Added: 0031020
2012-03-04 09:23 atrol Target Version 1.2.9 => 1.2.10
2012-04-02 02:33 atrol Target Version 1.2.10 => 1.2.11
2012-05-12 14:02 grangeway Relationship replaced has duplicate 0010012
2012-06-06 23:54 jreese Target Version 1.2.11 => 1.2.12
2012-11-10 19:04 dregad Target Version 1.2.12 => 1.2.13
2013-01-22 09:48 dregad Target Version 1.2.13 => 1.2.14
2013-01-29 09:28 dregad Target Version 1.2.14 => 1.2.15
2013-04-12 09:57 dregad Target Version 1.2.15 => 1.2.16
2014-01-23 17:48 atrol Target Version 1.2.16 =>
2014-04-12 18:47 vboctor Assigned To vboctor =>
2014-10-05 19:25 grangeway Category auth openid => authentication
+ Issue History