I'm looking for a part-time remote job.

Hire me

I'm the author of:

Mastering Redmine is a comprehensive guide with tips, tricks and best practices, and an easy-to-learn structure.

Check the book's project or

Buy the book

Social pages of the book:

By buying this book you also donate to Redmine (see this page).

Follow me:

Feature #1717

Open ID authorization support

Added by Andriy Lesyuk almost 13 years ago. Updated almost 13 years ago.

Status:
Closed
Priority:
Major
Assignee:
Andriy Lesyuk
Category:
-
Start date:
02 May 2011
Due date:
05 Jun 2011
% Done:

100%

Description

Open ID authorization should be added to the site as well as this plugin.

The Open ID authorization should be tested... I have a feeling like due to the Extended Profile module Open ID users need to register even when they succeeded to login using Open ID (not confirmed though).

Related issues

Related to Extended Profile - Feature #1778: OpenID support Closed 04 Jun 2011 05 Jun 2011

History

#1 Updated by Andriy Lesyuk almost 13 years ago

Extended Profile plugin now works fine with Open ID!

#2 Updated by Andriy Lesyuk almost 13 years ago

  • Status changed from Open to In Progress
  • % Done changed from 0 to 20

So the result:

When using OpenID the site redirects to registration form explaining that important data are missing... Among them - first name, email etc. So looks like Google does not return any data...

Here is what is in logs:

Processing AccountController#login (for 93.175.198.211 at 2011-06-04 16:19:11) [POST]
  Parameters: {"openid.mode"=>"id_res", "openid.op_endpoint"=>"https://www.google.com/accounts/o8/ud", "openid.return_to"=>"http://projects.andriylesyuk.com/login?_method=post&open_id_complete=1", "openid.sig"=>"*******", "openid.response_nonce"=>"******", "openid.ns"=>"http://specs.openid.net/auth/2.0", "action"=>"login", "_method"=>"post", "openid.identity"=>"https://www.google.com/accounts/o8/id?id=*******", "openid.assoc_handle"=>"******", "openid.signed"=>"op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle", "controller"=>"account", "open_id_complete"=>"1", "openid.claimed_id"=>"https://www.google.com/accounts/o8/id?id=*******"}
No pre-discovered information supplied
Performing discovery on https://www.google.com/accounts/o8/id?id=*******
WARNING: making https request to https://www.google.com/accounts/o8/id?id=******** without verifying server certificate; no CA path was specified.
Rendering template within layouts/base
Rendering account/register
Completed in 289ms (View: 55, DB: 7) | 200 OK [http://projects.andriylesyuk.com/login?...

As I understand the situation - Redmine requests data from Google but Google does not return anything... Perhaps OpenID spec changed or Redmine 1.0.x and/or Debian stable are too old.

#4 Updated by Andriy Lesyuk almost 13 years ago

open_id_request:

#<OpenID::Consumer::CheckIDRequest:0xb4ebedf8
  @anonymous=false,
  @endpoint=#<OpenID::OpenIDServiceEndpoint:0xb4ef1654
    @canonical_id=nil,
    @claimed_id=nil,
    @local_id=nil,
    @display_identifier=nil,
    @type_uris=["http://specs.openid.net/auth/2.0/server", "http://openid.net/srv/ax/1.0", ..., "http://specs.openid.net/extensions/pape/1.0"],
    @used_yadis=true,
    @server_url="https://www.google.com/accounts/o8/ud">,
  @return_to_args={},
  @message=#<OpenID::Message:0xb4ebecf4
    @args={
      ["http://openid.net/extensions/sreg/1.1", "required"]=>"nickname,fullname,email",
      ["http://openid.net/srv/ax/1.0", "mode"]=>"fetch_request"},
    @openid_ns_uri="http://specs.openid.net/auth/2.0",
    @namespaces=#<OpenID::NamespaceMap:0xb4ebeca4
      @implicit_namespaces=[],
      @namespace_to_alias={..., "http://openid.net/extensions/sreg/1.1"=>"sreg", "http://openid.net/srv/ax/1.0"=>"ax"},
      @alias_to_namespace={"ax"=>"http://openid.net/srv/ax/1.0", "sreg"=>"http://openid.net/extensions/sreg/1.1", ...}>>,
  @assoc=#<OpenID::Association:0xb4ebf6cc
    @assoc_type="HMAC-SHA1",
    @lifetime=46800,
    @secret="********",
    @issued=1307260585,
    @handle="*********">>

open_id_response:

#<OpenID::Consumer::SuccessResponse:0xb50d9958
  @endpoint=#<OpenID::OpenIDServiceEndpoint:0xb4e5fb78
    @canonical_id=nil,
    @claimed_id="https://www.google.com/accounts/o8/id?id=**************",
    @local_id=nil,
    @display_identifier=nil,
    @type_uris=["http://specs.openid.net/auth/2.0/signon", "http://openid.net/srv/ax/1.0", ..., "http://specs.openid.net/extensions/pape/1.0"],
    @used_yadis=true,
    @server_url="https://www.google.com/accounts/o8/ud">,
  @signed_fields=["openid.op_endpoint", "openid.claimed_id", "openid.identity", "openid.return_to", "openid.response_nonce", "openid.assoc_handle"],
  @identity_url="https://www.google.com/accounts/o8/id?id=**************",
  @message=#<OpenID::Message:0xb4ead134
    @args={
      ["http://specs.openid.net/auth/2.0", "sig"]=>"************",
      ["http://specs.openid.net/auth/2.0", "mode"]=>"id_res",
      [:bare_namespace, "_method"]=>"post",
      ["http://specs.openid.net/auth/2.0", "op_endpoint"]=>"https://www.google.com/accounts/o8/ud",
      ["http://specs.openid.net/auth/2.0", "response_nonce"]=>"************",
      ["http://specs.openid.net/auth/2.0", "assoc_handle"]=>"***************",
      ["http://specs.openid.net/auth/2.0", "return_to"]=>"http://dev.redmine.test/login?_method=post&open_id_complete=1",
      ["http://specs.openid.net/auth/2.0", "identity"]=>"https://www.google.com/accounts/o8/id?id=***********",
      ["http://specs.openid.net/auth/2.0", "signed"]=>"op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle",
      ["http://specs.openid.net/auth/2.0", "claimed_id"]=>"https://www.google.com/accounts/o8/id?id=***********",
      [:bare_namespace, "open_id_complete"]=>"1"},
    @openid_ns_uri="http://specs.openid.net/auth/2.0",
    @namespaces=#<OpenID::NamespaceMap:0xb4ead0f8
      @implicit_namespaces=[],
      @namespace_to_alias={"http://specs.openid.net/auth/2.0"=>:null_namespace},
      @alias_to_namespace={:null_namespace=>"http://specs.openid.net/auth/2.0"}>>>

#5 Updated by Andriy Lesyuk almost 13 years ago

I think I know what is wrong... Here is URL to Google:

https://www.google.com/accounts/o8/ud?
  openid.assoc_handle=***********&
  openid.ax.mode=fetch_request&
  openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&
  openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&
  openid.mode=checkid_setup&
  openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&
  openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&
  openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&
  openid.realm=http%3A%2F%2Fdev.redmine.test%2F&
  openid.return_to=http%3A%2F%2Fdev.redmine.test%2Flogin%3F_method%3Dpost%26open_id_complete%3D1&
  openid.sreg.required=nickname%2Cfullname%2Cemail

Accordingly to Google there should be openid.ax.required instead of openid.sreg.required...

#6 Updated by Andriy Lesyuk almost 13 years ago

  • % Done changed from 20 to 50

It works if I change the open_id_authenticate function to the following:

  def open_id_authenticate(openid_url)
    authenticate_with_open_id(openid_url, :required => [:nickname, :fullname, :email,
        'http://axschema.org/namePerson/first', 'http://axschema.org/namePerson/last', 'http://axschema.org/contact/email'
      ], :return_to => signin_url) do |result, identity_url, registration|
      if result.successful?
        logger.info " >>> registration: #{registration.inspect}" # FIXME
        user = User.find_or_initialize_by_identity_url(identity_url)
        if user.new_record?
          # Self-registration off
          redirect_to(home_url) && return unless Setting.self_registration?

          # Create on the fly
          user.login = registration['nickname'] unless registration['nickname'].nil?
          user.mail = registration['email'] unless registration['email'].nil?
          user.firstname, user.lastname = registration['fullname'].split(' ') unless registration['fullname'].nil?

          user.login = registration['http://axschema.org/contact/email'].first unless registration['http://axschema.org/contact/email'].nil?
          user.mail = registration['http://axschema.org/contact/email'].first unless registration['http://axschema.org/contact/email'].nil?
          user.firstname = registration['http://axschema.org/namePerson/first'].first unless registration['http://axschema.org/namePerson/first'].nil?
          user.lastname = registration['http://axschema.org/namePerson/last'].first unless registration['http://axschema.org/namePerson/last'].nil?

          user.random_password
          user.register

          case Setting.self_registration
          when '1'
            register_by_email_activation(user) do
              onthefly_creation_failed(user)
            end
          when '3'
            register_automatically(user) do
              onthefly_creation_failed(user)
            end
          else
            register_manually_by_administrator(user) do
              onthefly_creation_failed(user)
            end
          end          
        else
          # Existing record
          if user.active?
            successful_authentication(user)
          else
            account_pending
          end
        end
      end
    end
  end

But not with the Extended Profile plugin...

#7 Updated by Andriy Lesyuk almost 13 years ago

  • Due date set to 05 Jun 2011
  • Status changed from In Progress to Closed
  • % Done changed from 50 to 100

Another issue is that I don’t see any reason for email or manual activation!.. This is needed for new users, I believe... OpenID ones should be “trusted” or not allowed. Besides, email activation does not work correctly with OpenID logins (could not get activated).

Also available in: Atom PDF

Terms of use | Privacy policy