Feature #1717
Open ID authorization support
100%
Description
Open ID authorization should be added to the site as well as this plugin.
The Open ID authorization should be tested... I have a feeling like due to the Extended Profile module Open ID users need to register even when they succeeded to login using Open ID (not confirmed though).
Related issues
History
#1 Updated by Andriy Lesyuk over 13 years ago
Extended Profile plugin now works fine with Open ID!
#2 Updated by Andriy Lesyuk over 13 years ago
- Status changed from Open to In Progress
- % Done changed from 0 to 20
So the result:
When using OpenID the site redirects to registration form explaining that important data are missing... Among them - first name, email etc. So looks like Google does not return any data...
Here is what is in logs:
Processing AccountController#login (for 93.175.198.211 at 2011-06-04 16:19:11) [POST] Parameters: {"openid.mode"=>"id_res", "openid.op_endpoint"=>"https://www.google.com/accounts/o8/ud", "openid.return_to"=>"http://projects.andriylesyuk.com/login?_method=post&open_id_complete=1", "openid.sig"=>"*******", "openid.response_nonce"=>"******", "openid.ns"=>"http://specs.openid.net/auth/2.0", "action"=>"login", "_method"=>"post", "openid.identity"=>"https://www.google.com/accounts/o8/id?id=*******", "openid.assoc_handle"=>"******", "openid.signed"=>"op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle", "controller"=>"account", "open_id_complete"=>"1", "openid.claimed_id"=>"https://www.google.com/accounts/o8/id?id=*******"} No pre-discovered information supplied Performing discovery on https://www.google.com/accounts/o8/id?id=******* WARNING: making https request to https://www.google.com/accounts/o8/id?id=******** without verifying server certificate; no CA path was specified. Rendering template within layouts/base Rendering account/register Completed in 289ms (View: 55, DB: 7) | 200 OK [http://projects.andriylesyuk.com/login?...
As I understand the situation - Redmine requests data from Google but Google does not return anything... Perhaps OpenID spec changed or Redmine 1.0.x and/or Debian stable are too old.
#3 Updated by Andriy Lesyuk over 13 years ago
#4 Updated by Andriy Lesyuk over 13 years ago
open_id_request:
#<OpenID::Consumer::CheckIDRequest:0xb4ebedf8 @anonymous=false, @endpoint=#<OpenID::OpenIDServiceEndpoint:0xb4ef1654 @canonical_id=nil, @claimed_id=nil, @local_id=nil, @display_identifier=nil, @type_uris=["http://specs.openid.net/auth/2.0/server", "http://openid.net/srv/ax/1.0", ..., "http://specs.openid.net/extensions/pape/1.0"], @used_yadis=true, @server_url="https://www.google.com/accounts/o8/ud">, @return_to_args={}, @message=#<OpenID::Message:0xb4ebecf4 @args={ ["http://openid.net/extensions/sreg/1.1", "required"]=>"nickname,fullname,email", ["http://openid.net/srv/ax/1.0", "mode"]=>"fetch_request"}, @openid_ns_uri="http://specs.openid.net/auth/2.0", @namespaces=#<OpenID::NamespaceMap:0xb4ebeca4 @implicit_namespaces=[], @namespace_to_alias={..., "http://openid.net/extensions/sreg/1.1"=>"sreg", "http://openid.net/srv/ax/1.0"=>"ax"}, @alias_to_namespace={"ax"=>"http://openid.net/srv/ax/1.0", "sreg"=>"http://openid.net/extensions/sreg/1.1", ...}>>, @assoc=#<OpenID::Association:0xb4ebf6cc @assoc_type="HMAC-SHA1", @lifetime=46800, @secret="********", @issued=1307260585, @handle="*********">>
open_id_response:
#<OpenID::Consumer::SuccessResponse:0xb50d9958 @endpoint=#<OpenID::OpenIDServiceEndpoint:0xb4e5fb78 @canonical_id=nil, @claimed_id="https://www.google.com/accounts/o8/id?id=**************", @local_id=nil, @display_identifier=nil, @type_uris=["http://specs.openid.net/auth/2.0/signon", "http://openid.net/srv/ax/1.0", ..., "http://specs.openid.net/extensions/pape/1.0"], @used_yadis=true, @server_url="https://www.google.com/accounts/o8/ud">, @signed_fields=["openid.op_endpoint", "openid.claimed_id", "openid.identity", "openid.return_to", "openid.response_nonce", "openid.assoc_handle"], @identity_url="https://www.google.com/accounts/o8/id?id=**************", @message=#<OpenID::Message:0xb4ead134 @args={ ["http://specs.openid.net/auth/2.0", "sig"]=>"************", ["http://specs.openid.net/auth/2.0", "mode"]=>"id_res", [:bare_namespace, "_method"]=>"post", ["http://specs.openid.net/auth/2.0", "op_endpoint"]=>"https://www.google.com/accounts/o8/ud", ["http://specs.openid.net/auth/2.0", "response_nonce"]=>"************", ["http://specs.openid.net/auth/2.0", "assoc_handle"]=>"***************", ["http://specs.openid.net/auth/2.0", "return_to"]=>"http://dev.redmine.test/login?_method=post&open_id_complete=1", ["http://specs.openid.net/auth/2.0", "identity"]=>"https://www.google.com/accounts/o8/id?id=***********", ["http://specs.openid.net/auth/2.0", "signed"]=>"op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle", ["http://specs.openid.net/auth/2.0", "claimed_id"]=>"https://www.google.com/accounts/o8/id?id=***********", [:bare_namespace, "open_id_complete"]=>"1"}, @openid_ns_uri="http://specs.openid.net/auth/2.0", @namespaces=#<OpenID::NamespaceMap:0xb4ead0f8 @implicit_namespaces=[], @namespace_to_alias={"http://specs.openid.net/auth/2.0"=>:null_namespace}, @alias_to_namespace={:null_namespace=>"http://specs.openid.net/auth/2.0"}>>>
#5 Updated by Andriy Lesyuk over 13 years ago
I think I know what is wrong... Here is URL to Google:
https://www.google.com/accounts/o8/ud? openid.assoc_handle=***********& openid.ax.mode=fetch_request& openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select& openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select& openid.mode=checkid_setup& openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0& openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0& openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1& openid.realm=http%3A%2F%2Fdev.redmine.test%2F& openid.return_to=http%3A%2F%2Fdev.redmine.test%2Flogin%3F_method%3Dpost%26open_id_complete%3D1& openid.sreg.required=nickname%2Cfullname%2Cemail
Accordingly to Google there should be openid.ax.required
instead of openid.sreg.required
...
#6 Updated by Andriy Lesyuk over 13 years ago
- % Done changed from 20 to 50
It works if I change the open_id_authenticate
function to the following:
def open_id_authenticate(openid_url)
authenticate_with_open_id(openid_url, :required => [:nickname, :fullname, :email,
'http://axschema.org/namePerson/first', 'http://axschema.org/namePerson/last', 'http://axschema.org/contact/email'
], :return_to => signin_url) do |result, identity_url, registration|
if result.successful?
logger.info " >>> registration: #{registration.inspect}" # FIXME
user = User.find_or_initialize_by_identity_url(identity_url)
if user.new_record?
# Self-registration off
redirect_to(home_url) && return unless Setting.self_registration?
# Create on the fly
user.login = registration['nickname'] unless registration['nickname'].nil?
user.mail = registration['email'] unless registration['email'].nil?
user.firstname, user.lastname = registration['fullname'].split(' ') unless registration['fullname'].nil?
user.login = registration['http://axschema.org/contact/email'].first unless registration['http://axschema.org/contact/email'].nil?
user.mail = registration['http://axschema.org/contact/email'].first unless registration['http://axschema.org/contact/email'].nil?
user.firstname = registration['http://axschema.org/namePerson/first'].first unless registration['http://axschema.org/namePerson/first'].nil?
user.lastname = registration['http://axschema.org/namePerson/last'].first unless registration['http://axschema.org/namePerson/last'].nil?
user.random_password
user.register
case Setting.self_registration
when '1'
register_by_email_activation(user) do
onthefly_creation_failed(user)
end
when '3'
register_automatically(user) do
onthefly_creation_failed(user)
end
else
register_manually_by_administrator(user) do
onthefly_creation_failed(user)
end
end
else
# Existing record
if user.active?
successful_authentication(user)
else
account_pending
end
end
end
end
end
But not with the Extended Profile plugin...
#7 Updated by Andriy Lesyuk over 13 years ago
- Due date set to 05 Jun 2011
- Status changed from In Progress to Closed
- % Done changed from 50 to 100
Another issue is that I don’t see any reason for email or manual activation!.. This is needed for new users, I believe... OpenID ones should be “trusted” or not allowed. Besides, email activation does not work correctly with OpenID logins (could not get activated).