OpenID Fix 0.2.0 with a better security
Delegating authentication to a third-party OpenID provider is a good thing until you can trust it. But, not all OpenID providers can be trusted! For this reason the version 0.2.0 comes with the OpenID providers whitelisting feature...
On my (this) website I require new users to validate their e-mails by following the confirmation URLs, which get sent to them... This is a popular approach, which is known to work to protect sites from spammers.
I also allow signing in using OpenID. For this authentication type I prefer to trust OpenID providers, most of which use at least the same e-mail confirmation approach. So I just avoid asking users to confirm their e-mails for another website...
But who said, that any OpenID provider can be trusted?.. Of course, it can be, when we speak about, e.g., Google, but not any OpenID provider! In fact, a dummy OpenID provider can be easily created by spammers (I guess). In this case they would be able to use non-existent emails and would be able to create any number of user accounts on my website. I was really lucky, that they had not done this yet!..
But “luck is what happens when preparation meets opportunity” (Seneca)! Therefore the version 0.2.0 makes a “preparation” for preventing this vulnerability from being exploited further. Thus, it implements the OpenID provider white list:
Here you see URLs of the allowed OpenID providers. Any provider in the list can be temporary disabled by unchecking the Active link in the provider edit form. New providers can be easily added by clicking the “New OpenID source” link in the contextual top right menu. URLs of the provider can contain
*, that means a custom part of the URL (some providers put , e.g., the user name there). The plugin comes with the default list of providers, which includes all providers used in the OpenID Selector plugin, that was written by Jorge Barata González (I personally use it too).
As, in my opinion, it’s a severe security issue (that potentially lets anyone bypass the email verification) I decided to turn the OpenID provider verification on by default. This means, that some of your users can become unable to sign in, if they use some peculiar OpenID provider... Maybe, it’s not good to set the default value this way, but I could not find any better way to draw your attention to the issue. Sorry!
So, after installing or upgrading this plugin you may need to check and update the OpenID provider white list. Either way, !
If, however, you would like to restore the previous behavior (which was in previous versions of the plugin) – i.e., do no verification – you can just disable the Verify OpenID URL option in Administration → Plugins → OpenID → Configure. However, ! Consider setting the Self-registration option to “account activation by email” or “manual account activation”, if you still want to use no OpenID URL verification.
You can also help collecting patterns for OpenID providers by adding your peculiar OpenID source’s settings to this forum.