Bugzilla:OpenID Auth Plugin: Difference between revisions
Jump to navigation
Jump to search
(Updated for 0.1.0 release) |
|||
| Line 1: | Line 1: | ||
This page is a specification of how OpenID authentication should work in Bugzilla. | This page is a specification of how OpenID authentication should work in Bugzilla. In OpenID nomenclature, this is about making Bugzilla an OpenID "consumer". | ||
'''[http://openid.net OpenID]''' is a decentralized authentication system which allows web server applications such as Bugzilla (known as "consumers") to authenticate users by URI. Through three different two-way conversations (user to consumer, user to server, consumer to server), the consumer can test a user's ownership of a URI without having to receive a password directly from the user, thus not needing to collect and store passwords. | '''[http://openid.net OpenID]''' is a decentralized authentication system which allows web server applications such as Bugzilla (known as "consumers") to authenticate users by URI. Through three different two-way conversations (user to consumer, user to server, consumer to server), the consumer can test a user's ownership of a URI without having to receive a password directly from the user, thus not needing to collect and store passwords. | ||
== Status == | |||
An initial version 0.1.0 has been submitted to the BZ tracker: | |||
* [https://bugzilla.mozilla.org/attachment.cgi?id=188009 Patch against BZ/CVS from 2005-07-01 (2.19.3+)] | |||
* [https://bugzilla.mozilla.org/attachment.cgi?id=188010 New Bugzilla/Auth/Verify/OpenID.pm module] | |||
* [https://bugzilla.mozilla.org/show_bug.cgi?id=294608#c5 "Release Notes"] | |||
== Open Issues == | == Open Issues == | ||
| Line 10: | Line 18: | ||
** Currently still using email. Might work on using in conjunction with [https://bugzilla.mozilla.org/show_bug.cgi?id=218917 Myk Melez's patch for arbitrary BZ names], but want to get something working first. | ** Currently still using email. Might work on using in conjunction with [https://bugzilla.mozilla.org/show_bug.cgi?id=218917 Myk Melez's patch for arbitrary BZ names], but want to get something working first. | ||
* Should email verification process still occur? | * Should email verification process still occur? | ||
** There doesn't appear to be any way around it, as there's no way to query an OpenID server for an email address. That may mean that [http://lid.netmesh.org/ LID] or FOAF is also needed to make this work in a way that doesn't require an email verification ping-pong | ** There doesn't appear to be any way around it, as there's no way to query an OpenID server for an email address. That may mean that [http://lid.netmesh.org/ LID] or FOAF is also needed to make this work in a way that doesn't require an email verification ping-pong. Current version must be used in tandem with DB. | ||
* Should a confirm hash style verification (ala Mailman or GForge) be created, as opposed to mailing a password to the user | * Should a confirm hash style verification (ala Mailman or GForge) be created, as opposed to mailing a password to the user | ||
** | ** Awaiting fix for [https://bugzilla.mozilla.org/show_bug.cgi?id=87795 Bugzilla Bug 87795 Creating an account should send token and wait for confirmation (prevent user account abuse)] | ||
* How should createaccount.cgi modification be done? | * How should createaccount.cgi modification be done? | ||
** It's tempting to restructure this code, creating a new Bugzilla->create_account($cgi) method, and moving the current code into Bugzilla/Auth/Login/WWW/CGI.pm | ** It's tempting to restructure this code, creating a new Bugzilla->create_account($cgi) method, and moving the current code into Bugzilla/Auth/Login/WWW/CGI.pm . Current version just relies on existing code, pretty much unmodified, so you must sign up for an account using old-fashioned means, and then associate an OpenID in the prefs. | ||
== Other Links == | == Other Links == | ||
Revision as of 05:33, 2 July 2005
This page is a specification of how OpenID authentication should work in Bugzilla. In OpenID nomenclature, this is about making Bugzilla an OpenID "consumer".
OpenID is a decentralized authentication system which allows web server applications such as Bugzilla (known as "consumers") to authenticate users by URI. Through three different two-way conversations (user to consumer, user to server, consumer to server), the consumer can test a user's ownership of a URI without having to receive a password directly from the user, thus not needing to collect and store passwords.
Status
An initial version 0.1.0 has been submitted to the BZ tracker:
- Patch against BZ/CVS from 2005-07-01 (2.19.3+)
- New Bugzilla/Auth/Verify/OpenID.pm module
- "Release Notes"
Open Issues
- Where should the OpenID URI be stored?
- Currently using profiles/extern_id. Long term should probably be its own field, and longer than 64 bytes.
- Should user log in using email or by OpenID?
- Currently still using email. Might work on using in conjunction with Myk Melez's patch for arbitrary BZ names, but want to get something working first.
- Should email verification process still occur?
- There doesn't appear to be any way around it, as there's no way to query an OpenID server for an email address. That may mean that LID or FOAF is also needed to make this work in a way that doesn't require an email verification ping-pong. Current version must be used in tandem with DB.
- Should a confirm hash style verification (ala Mailman or GForge) be created, as opposed to mailing a password to the user
- How should createaccount.cgi modification be done?
- It's tempting to restructure this code, creating a new Bugzilla->create_account($cgi) method, and moving the current code into Bugzilla/Auth/Login/WWW/CGI.pm . Current version just relies on existing code, pretty much unmodified, so you must sign up for an account using old-fashioned means, and then associate an OpenID in the prefs.