Bugzilla:OpenID Auth Plugin: Difference between revisions

Latest revision as of 18:47, 30 March 2013

This page is a specification of how OpenID authentication should work in Bugzilla. In OpenID nomenclature, this is about making Bugzilla an OpenID "consumer".

OpenID is a decentralized authentication system which allows web server applications such as Bugzilla (known as "consumers") to authenticate users by URI. Through three different two-way conversations (user to consumer, user to server, consumer to server), the consumer can test a user's ownership of a URI without having to receive a password directly from the user, thus not needing to collect and store passwords.

Status

Jacky Alcine has written a Bugzilla OpenID plugin available on GitHub.

@@ Line 5: / Line 5: @@
 == Status ==
-Version 0.1.1 has been submitted to the BZ tracker:
+Jacky Alcine has written a [https://github.com/jalcine/bugzilla-openid Bugzilla OpenID plugin available on GitHub].
-* [https://bugzilla.mozilla.org/attachment.cgi?id=188469 Patch against BZ/CVS from 2005-07-06 (2.19.3+)]
-* [https://bugzilla.mozilla.org/attachment.cgi?id=188010 New Bugzilla/Auth/Verify/OpenID.pm module]
-* [https://bugzilla.mozilla.org/show_bug.cgi?id=294608#c5 "Release Notes"]
-== Open Issues ==
-*  Where should the OpenID URI be stored?
-** Currently using profiles/extern_id.  Long term should probably be its own field, and longer than 64 bytes.
-*  Should user log in using email or by OpenID?
-** Currently still using email.  Might work on using in conjunction with [https://bugzilla.mozilla.org/show_bug.cgi?id=218917 Myk Melez's patch for arbitrary BZ names], but want to get something working first.
-*  Should email verification process still occur?
-** There doesn't appear to be any way around it, as there's no way to query an OpenID server for an email address.  That may mean that [http://lid.netmesh.org/ LID] or FOAF is also needed to make this work in a way that doesn't require an email verification ping-pong.  Current version must be used in tandem with DB.
-*  Should a confirm hash style verification (ala Mailman or GForge) be created, as opposed to mailing a password to the user
-**  Awaiting fix for [https://bugzilla.mozilla.org/show_bug.cgi?id=87795 Bugzilla Bug 87795 Creating an account should send token and wait for confirmation (prevent user account abuse)]
-*  How should createaccount.cgi modification be done?
-**  It's tempting to restructure this code, creating a new Bugzilla->create_account($cgi) method, and moving the current code into Bugzilla/Auth/Login/WWW/CGI.pm .  Current version just relies on existing code, pretty much unmodified, so you must sign up for an account using old-fashioned means, and then associate an OpenID in the prefs.
-* OpenID::Consumer library v0.11 (perl) fails taint check
-** [http://lists.danga.com/pipermail/yadis/2005-June/thread.html#951 Taint safety discussion on OpenID dev list]
-* Cookie expiration
-** Current implementation is almost certainly wrong (indefinite length cookies).
 == Other Links ==
 * [http://comments.gmane.org/gmane.comp.bug-tracking.bugzilla.devel/4695 2005-06-27 - Initial exploratory discussion on developers@bugzilla.org]
-* [https://bugzilla.mozilla.org/show_bug.cgi?id=294608 Bugzilla ticket for OpenID support]
+* [https://bugzilla.mozilla.org/show_bug.cgi?id=294608 Bug 294608 - "Support OpenID as a an account source and login verification method"]
 * [http://comments.gmane.org/gmane.comp.bug-tracking.bugzilla.devel/4706 2005-07-01 - Design discussion on developers@bugzilla.org]
+[[category:Bugzilla|OpenID Auth Plugin]]

Bugzilla:OpenID Auth Plugin: Difference between revisions

Latest revision as of 18:47, 30 March 2013

Status

Other Links

Navigation menu

Search