Bugzilla:OpenID Auth Plugin

This page is a specification of how OpenID authentication should work in Bugzilla. Work is currently underway on the feature. In OpenID nomenclature, this is about making Bugzilla an OpenID "consumer".

OpenID is a decentralized authentication system which allows web server applications such as Bugzilla (known as "consumers") to authenticate users by URI. Through three different two-way conversations (user to consumer, user to server, consumer to server), the consumer can test a user's ownership of a URI without having to receive a password directly from the user, thus not needing to collect and store passwords.

Open Issues

• Where should the OpenID URI be stored?
  • Currently using profiles/extern_id. Long term should probably be its own field, and longer than 64 bytes.
• Should user log in using email or by OpenID
  • Currently still using email. Might work on using in conjunction with Myk Melez's patch for arbitrary BZ names, but want to get something working first.
• Should email verification process still occur
  • There doesn't appear to be any way around it, as there's no way to query an OpenID server for an email address.

Other Links

• Discussion on developers@bugzilla.org
• Bugzilla ticket for OpenID support
• Taint safety discussion on OpenID dev list