Feature #699

OpenID login

Added by Antonio Tapiador about 6 years ago. Updated about 5 years ago.

Status:ClosedStart date:2008-02-20
Priority:NormalDue date:
Assignee:Eric Davis% Done:

100%

Category:Accounts / authentication
Target version:0.9.0
Resolution:Fixed

Description

Supporting OpenID login would facilitate User registration, as well as incorporating collaborators to projects.


Related issues

Related to Feature #1237: Add support for one time passwords or two-factor authenti... New 2008-05-14

Associated revisions

Revision 2437
Added by Eric Davis about 5 years ago

Unpacked OpenID gem. #699

Revision 2439
Added by Eric Davis about 5 years ago

Added OpenID tables. #699

Revision 2440
Added by Eric Davis about 5 years ago

Added identity_url to User. #699

Revision 2441
Added by Eric Davis about 5 years ago

Fixed a bug in open_id_authentication, where relative_url_root is defined
on ActionController:AbstractRequest not Base

#699

Revision 2442
Added by Eric Davis about 5 years ago

Added the ability to login via OpenID.

  • Refactored AccountController#login to use either
    password or openid based authentication
  • Extracted AccountController#successful_authentication
    to setup a user's session cookies and redirect
  • Implemented the start of AccountController#open_id_authentication
    which will check with the OpenID server and perform authentication.
  • Added text field for the OpenID url to /login
  • Added identity_url for OpenID to the user forms.
  • Added option to login with OpenID to the register form.
  • Added a root url route, which is used by the OpenID plugin

    #699

Revision 2444
Added by Eric Davis about 5 years ago

Adding OpenID mock and test. #699

Revision 2445
Added by Eric Davis about 5 years ago

Added tests for the other OpenID authentication cases. #699

Revision 2446
Added by Eric Davis about 5 years ago

Added user setup needed based on the system's registration settings

  • Copied the register action's chunk of code used to setup the account
    based on Setting.self_registration
  • Extracted method for when onthefly_creation_failed
  • Added tests to confirm the behavior

    #699

Revision 2447
Added by Eric Davis about 5 years ago

Refactored common methods out of register and open_id_authenticate

  • Extracted register_by_email_activation
  • Extracted register_automatically
  • Extracted register_manually_by_administrator

    #699

Revision 2448
Added by Eric Davis about 5 years ago

Prevent registration via OpenID if self registration is off. #699

Revision 2449
Added by Eric Davis about 5 years ago

Added a system setting for allowing OpenID logins and registrations

  • Defaults to off
  • Is set in the Administration panel under Authentication

    #699

Revision 2450
Added by Eric Davis about 5 years ago

Added a space so words don't runtogeatherlikethis. #699

Revision 2452
Added by Eric Davis about 5 years ago

Fixed the bundled ruby-openid gem

  • The open_id_authentication plugin will require the gem automatically so
    it doesn't need to be added to environment.rb
  • Changed the version requirement on the open_id_authentication to match
    the latest stable version. Rails config.gem looks for a directory named
    after that specific version and will not load newer versions.

    #699

Revision 2453
Added by Eric Davis about 5 years ago

Normalize the identity_url when it's set.

OpenId uses a specific format for the url it uses which requires the protocol
and trailing slash. This change will normalize the value to when a user sets it.

#699

Revision 2454
Added by Jean-Philippe Lang about 5 years ago

Hide openid stuff on my account if disabled (#699).

Revision 2455
Added by Jean-Philippe Lang about 5 years ago

Adds missing strings (#699).

History

#1 Updated by Michael Pirogov about 6 years ago

Read here and here

But I'm voting for it too :)

#2 Updated by Antonio Tapiador about 6 years ago

Is there any interest in a path?
I could send it

#3 Updated by Antonio Tapiador about 6 years ago

.. a patch!

#4 Updated by Stephanie Collett almost 6 years ago

Is there anymore traction on this? We would like this functionality as well, but would rather not break-away from the codebase.

#5 Updated by Thomas Lecavelier almost 6 years ago

Antonio, you should post your patch in the patch tracker: it should interest many people.

#6 Updated by Antenore Gatta almost 6 years ago

I would like also to have OpenID functionality, are there any chances it will be implemented?

Thanks a lot

BR
Antenore.

#7 Updated by Otto Hilska almost 6 years ago

I'm also voting for this feature.

#8 Updated by Jan Ivar Beddari almost 6 years ago

Another vote from me. I come from an enterprise environment where OpenID could solve SSO for our internal network/intranet in one swoop, using openid-ldap on top of our existing Active Directory. This will be a lot easier to handle in the long run than integrating each and every app through apache+kerberos or ldaps.

#9 Updated by Eric Davis over 5 years ago

  • Status changed from New to 7
  • Assignee set to Eric Davis

I'd like to add OpenID login and registrations in Redmine. I get several collaborators on my projects and it would make things a lot easier if they could use OpenID to signup. I'm hoping to get this into 0.8 but I'm not promising anything yet.

#10 Updated by Eric Davis about 5 years ago

  • Status changed from 7 to Resolved
  • Target version set to 0.9.0
  • % Done changed from 0 to 100
  • Resolution set to Fixed

I've added OpenID support to Redmine. It's optional and by default is turned off. To turn it on, go to the Administration panel > Authentication and select the OpenID checkbox. When enabled this will allow users to login through their OpenID url.

New user registration

If a new user account tries logs in with their OpenID, the system will create a user for them and then process the account like normal (e.g. needs administrator approval or needs email confirmation).

Existing users

Existing users can edit their account ('/my/account') and add their OpenID to the identity_url field. Then they will be able to login using OpenID.

Sponser

I'd like to thank Reiner Jung of Keyboard Monkeys for sponsoring this feature. Without him, it would have been awhile before I was able to work on it.

Technical information

  • I did some refactoring to AccountController in order to reduce the duplication.
  • The openid rubygem is included in vendor/gems
  • The open_id_authentication plugin is included in vendor/plugins
  • We might want to refactor OpenID to act like an AuthSource later. Right now AuthSources are assumed to be LDAP and since I don't have a LDAP server to test with I didn't go that route and potentially break LDAP logins.

Commits

Includes commits from r2437 to r2449

#11 Updated by Go MAEDA about 5 years ago

Eric Davis, thanks for your great work.
But it seems that openid rubygem in vendor/gems is not used. I saw the following error while migrating database. It was resolved after I installed ruby-openid.

$ rake db:migrate
(in /Users/maeda/NetBeansProjects/redmine)
Missing these required gems:
  ruby-openid  >= 2.0.4

You're running:
  ruby 1.8.7.5000 at /usr/local/bin/ruby
  rubygems 1.3.1 at /Users/maeda/.gem/ruby/1.8, /usr/local/lib/ruby/gems/1.8

Run `rake gems:install` to install the missing gems.

My environment:

$ ruby -v
ruby 1.8.7 (2008-11-15 revision 0) [i386-darwin9.5.1]

$ gem list rails

*** LOCAL GEMS ***

rails (2.2.2, 2.1.2, 2.1.1, 2.1.0)

$ svn info
Path: .
URL: http://redmine.rubyforge.org/svn/trunk
Repository Root: http://redmine.rubyforge.org/svn
Repository UUID: e93f8b46-1217-0410-a6f0-8f06a7374b81
Revision: 2450
Node Kind: directory
Schedule: normal
Last Changed Author: edavis10
Last Changed Rev: 2450
Last Changed Date: 2009-02-12 04:45:53 +0900 (木, 12  2 2009)

#12 Updated by Eric Davis about 5 years ago

Go MAEDA wrote:

Eric Davis, thanks for your great work.
But it seems that openid rubygem in vendor/gems is not used. I saw the following error while migrating database. It was resolved after I installed ruby-openid.

Thanks, can you retry it with r2452? The open_id plugin was trying to load an older version of the gem which wasn't in vendor. I ended up changing the plugin so it used the bundled gem.

#13 Updated by Go MAEDA about 5 years ago

Eric Davis wrote:

Thanks, can you retry it with r2452? The open_id plugin was trying to load an older version of the gem which wasn't in vendor. I ended up changing the plugin so it used the bundled gem.

r2452 works fine. Thanks!

#14 Updated by Jean-Philippe Lang about 5 years ago

I'm pretty sad to see that this feature got integrated into the core.
IMHO, it's a marginal feature. Adding dependencies and bundling gems in vendor/plugins doesn't make the application easier to maintain.

That's exactly the kind of thing that I'd like to see implemented as a plugin. Eric, you made a great job on plugins, why didn't you give it a try ? Having a plugable authentication would be a much better solution.

#15 Updated by Kevin Menard about 5 years ago

For what it's worth, I'm happy to see it in core. While not a Redmine developer, as a user it's great to have this out of the box. One of the problems I've been running into is that people just don't want to create yet another account on some random Web site (i.e., mine). I actually had a partner on an open source project opt to go with Lighthouse and Google groups because of the hurdle in creating yet another account on yet another site.

That's not to say that it couldn't work as a plugin, but I don't want to have to spend an inordinate amount of time to make the system usable. I also suspect this would get used more than the LDAP integration would by the general populace.

#16 Updated by Eric Davis about 5 years ago

Jean-Philippe Lang wrote:

I'm pretty sad to see that this feature got integrated into the core.
IMHO, it's a marginal feature. Adding dependencies and bundling gems in vendor/plugins doesn't make the application easier to maintain.

I'm sorry you feel that way. I've spoken to numerous people on IRC and in real life and every one of them agreed that it would be a great feature for the core. Lowering the barrier to entry for new users makes the system as a whole easier to get started with.

That's exactly the kind of thing that I'd like to see implemented as a plugin. Eric, you made a great job on plugins, why didn't you give it a try ? Having a plugable authentication would be a much better solution.

Frankly, the authentication code is all over the place and it wouldn't be possible to have a pluggable authentication without replacing a ton of core code (thus the risk of large breaking bugs). While putting OpenID in, I managed to clean up some of the code but it's still pretty messy in there. I'd be happy to pull OpenID out to a plugin once the core can support it as a plugin. I'd propose we revisit pulling OpenID (and other features you've mentioned) out to plugins once the core has a stronger API to support them.

Kevin Menard wrote:

That's not to say that it couldn't work as a plugin, but I don't want to have to spend an inordinate amount of time to make the system usable. I also suspect this would get used more than the LDAP integration would by the general populace.

I've seen the same, OpenID is used more often in the public than LDAP (but LDAP is used more often on private intranets).

#17 Updated by Eric Davis about 5 years ago

  • Status changed from Resolved to Closed

Closing as fixed. This requires database changes so it's 0.9 only and doesn't need to be merged into 0.8.x.

Also available in: Atom PDF