Bugzilla:OpenID Auth Plugin

This page is a specification of how OpenID authentication should work in Bugzilla. Work is currently underway on the feature. In OpenID nomenclature, this is about making Bugzilla an OpenID "consumer".

OpenID is a decentralized authentication system which allows web server applications such as Bugzilla (known as "consumers") to authenticate users by URI. Through three different two-way conversations (user to consumer, user to server, consumer to server), the consumer can test a user's ownership of a URI without having to receive a password directly from the user, thus not needing to collect and store passwords.

Open Issues

• Where should the OpenID URI be stored?
  • Currently using profiles/extern_id. Long term should probably be its own field, and longer than 64 bytes.
• Should user log in using email or by OpenID?
  • Currently still using email. Might work on using in conjunction with Myk Melez's patch for arbitrary BZ names, but want to get something working first.
• Should email verification process still occur?
  • There doesn't appear to be any way around it, as there's no way to query an OpenID server for an email address. That may mean that LID or FOAF is also needed to make this work in a way that doesn't require an email verification ping-pong
• Should a confirm hash style verification (ala Mailman or GForge) be created, as opposed to mailing a password to the user
  • I don't relish needing to add this, but I don't see a good way around this
• How should createaccount.cgi modification be done?
  • It's tempting to restructure this code, creating a new Bugzilla->create_account($cgi) method, and moving the current code into Bugzilla/Auth/Login/WWW/CGI.pm

Other Links

• Discussion on developers@bugzilla.org
• Bugzilla ticket for OpenID support
• Taint safety discussion on OpenID dev list