Project

General

Profile

Forums » Help »

OpenID issues, limiting source of OpenID server & altogether not working 100%

Added by Seaders O'Loinsigh over 13 years ago

So I'm part of a college society and we've got loadsa services that up until now had individual logins, which is obviously a PITA. I looked into a few solutions and OpenID was my preference and seeing that you guys were compatible with it was a huge bonus too.

Problem is because it's a college society, we can't actually allow all OpenID signings, only our own, from our CommunityID server, which we register users on. With the MediaWiki installation we've got, they're utilising the PHP library of JanRain's OpenID with a few things on top, one of which is $wgOpenIDConsumerAllow in their setup file, OpenID.Setup.php. That gives you the option of putting in an array of regular expressions which specify which OpenID server sign ins are allowed.

Thusfar, I've been trying to do the same with Redmine and / or ruby-openid, but I'm totally at a loss. I'm not massively experienced with Ruby and the documentation for this isn't the best. Most of the OpenID docs don't have anything to do with what I actually want, they're all about sign in from anywhere, which isn't what we need.

The other issue that I've got is that sometimes, it just plain doesn't work. If I've a user on our OpenID server, and try to login to my Redmine install with it, sometimes just nothing will happen. Sometimes it works perfectly, sometimes you just get bumped back to the sign in page, without any error in the browser, nor the server.

I've seen this come up a few times in this forum and in 'Issues', but I don't think any had a clear answer as to what was exactly going wrong, so if anyone can help me with that too, I'd greatly appreciate it.

It's a Debian machine, with ruby 1.8.7, rails-2.3.5, ruby-openid-2.1.8, and redmine is setup to run with fcgi and Apache. Everything else about the configuration and setup has run smoothly, but these are two major issues that would mean that we couldn't use Redmine, which I really don't want.

If any more info is needed, I'll gladly provide it, thanks


Replies (1)

RE: OpenID issues, limiting source of OpenID server & altogether not working 100% - Added by Seaders O'Loinsigh over 13 years ago

So I started poking 'round and got this all done myself, mainly through edits to 'account_controller.rb'.

I made a few superficial edits to login.rhtml and register.rhtml, to stop showing the username and password form by wrapping them in a '<% if not Setting.openid? %>' tag. Here's where the main part was done, though,

 def open_id_authenticate(openid_username)
 if not openid_username.nil?
  openid_url = '<MY OPENID SERVER>' + openid_username
 end

 authenticate_with_open_id(openid_url, :required => [:nickname, :fullname, :email], :return_to => signin_url) do |result, identity_url, registration|
 if result.successful?
  user = User.find_or_initialize_by_identity_url(identity_url)
   if user.new_record?
   user.login = registration['nickname'] unless registration['nickname'].nil?
   user.mail = registration['email'] unless registration['email'].nil?
   user.firstname, user.lastname = registration['fullname'].split(' ') unless registration['fullname'].nil?
   user.random_password user.register register_automatically(user) do
    onthefly_creation_failed(user)
   end 
=begin
We are registering with openid registration only, so this is not needed.
 case Setting.self_registration
  when '1'
   register_by_email_activation(user) do
    onthefly_creation_failed(user)
   end
  when '3'
   register_automatically(user) do
    onthefly_creation_failed(user)
   end
  else
   register_manually_by_administrator(user) do
    onthefly_creation_failed(user)
   end
  end
=end
 else
# Existing record
 if user.active?
  successful_authentication(user)
 else
  account_pending
 end 
end

I also threw in 'invalid_credentials' to password_authentication there, to ensure that can't come in at all. So now registration is disabled, but you can login and automatically get registered, but only if you're coming from our OpenID server. Working perfect now!

    (1-1/1)