Redmine OpenID Fix

Download OpenID Fix 0.1.0

First, I would like to thank Rostislav, who drew my attention to a possible serious vulnerability in the OpenID Fix plugin (see #2045). The fix for this issue comes with 0.1.0.

In fact, before Rostislav reported the issue I had discussions with a few other users on, for example, why don’t I allow activation by email for OpenID registration. All these questions (including the Rostislav’s issue) made me revise the behavior of the plugin and, therefore, as a solution, this release comes with the plugin’s configuration, which contains just one setting:

This setting allows to override the self-registration configuration for OpenID users. To use the default system setting (which can be found in Administration → Settings → Authentication) select "(No change)" here.

By default the OpenID Fix plugin preserves the old behavior, that is, uses the manual activation, if it is selected in Redmine settings, and the automatic activation otherwise. So you should not worry, that the behavior will change on the plugin’s update.

In addition to the above things this release comes with a long-waited support for Redmine 1.4.x, 2.0.x, 2.1.x and 2.2.x (yeah, it was a long time I did not update the plugin).

Also taking the opportunity, I want to draw your attention to the feature, which can come with one of next releases – see #2113. It’s about restricting access to OpenID providers, that is, about controlling, which OpenID providers are allowed to be used by your users for logging in. Please share your thoughts on it!

Generally, you have, perhaps, noticed, that my work on my Redmine plugins has slowed down dramatically recently. The reason for the slow-down was my work on another project for Redmine – I was working on the "Mastering Redmine" book, which was just published and which can be bought now using this link. Now I got back to work on the plugins!

Also reminding you, that you can be among the first, who will know about major events on the OpenID Fix project, by subscribing to it using the subscription form on the sidebar.

Having created this plugin I thought that I would perhaps never update it... It’s too small and too complete! But thanks to Bynn Ies who have found a bug (#1966) in this plugin you can now download its new version.

The previous version of the plugin supported only automatic activation i.e. anyone who was able to login into OpenID provider was about to get access to Redmine. While usually it’s not a problem some administrators may need to control who is having access...

Redmine supports three options of new account activation: a) automatic (was the only one supported by this plugin before), b) manual (support for which has been added) and c) email activation. Only email activation is not supported by this plugin and is not planned to be supported as I assume that you trust OpenID providers enough not to validate user emails provided by them. But if you believe that support for email activation still needs to be added please file a bug report and explain why do you think so.

As I usually recently do in news... I suggest you to subscribe to this project using the form on the sidebar. This form is added by my Redmine Subscription plugin which is going to be released soon...

A fix of OpenID authentication in Redmine and ChiliProject was earlier available as a feature of the Redmine Extended Profile plugin. Now when the Redmine Extended Profile plugin has been divided into two plugins (the Redmine Extended Fields and the Redmine Extended Profile) the fix has been moved to the separate plugin!