I thought that since I had done "something" with this previously, i'd open up some discussion as to tools and techniques for anyone who has the time and might be willing to publish an integration.

this OpenID class [20] makes the job a whole lot easier.. if you don't use it, it's at the very least a valuable reference. The demo script (included) details how to set "required" (we need nickname and email. still needs server side valid.) fields as well as optional fields (timezone, gender, blah). After submitting your OpenID [21] URL into the form, you'll either get some failure junk (try again) or a bunch of "requested/required" vars in the $_GET .. if there are no errors and all of your required/requested info is available, go to the database to see if there is a user by that nickname (openid_identity URL) and email (and that no other users possess either/or), if so, log them in, if not create the account then log them in in one swoop.

OpenID [22] is not an authentication system. it's an identity system. if it were to be used as an authentication method, i'd recommend setting up a restrictive (untrusted) group specifically for OpenID [23] users.. if you set up another table to track their logins, you could move them out of the untrusted group after a designated "trial" period.

that's all i've got.. maybe it's useful.



edited by: InvalidResponse, Mar 10, 2007 - 02:50 PM

--
http://www.invalidresponse.com [24]

I found a screencast explaining, how OpenID [30] really works. And it looks quite interesting to me:
http://simonwillison.net/2006/openid-screencast/

IMHO OpenID-users are as trustworthy as any other. You can always use some e-mail and register...

--
best regards from Kiel, sailing city

Steffen Voss

Member of the PostNuke Steering Committee
Read The Zikulan's Blog [31]

Hi Steffen,

It depends. if the authentication is based off of a user name and an email address, it's very easy to create a new "persona" (same nick name with the same email address) to authenticate against and access someone else's account.. using the OpenID [37] (URL) as the user name is more unique than a nickname (ie: johndoe vs. johndoe.myopenid.com) .. also, you are allowed to edit/change your persona/nickname at any time, making it even less reliable, whereas the URL is more "permanent" and unique... it's also the entry point for the user where their password is required to approve the login.

..should be pretty straight forward, particularly with the multiple auth systems in .8.

--
http://www.invalidresponse.com [38]

There should not be a johndoe and a johndoe.myopenid.com - johndoe.myopenid.com is the login-name for the user johndoe, isn't it?

--
best regards from Kiel, sailing city

Steffen Voss

Member of the PostNuke Steering Committee
Read The Zikulan's Blog [44]

when you setup the account, it's johndoe, but you can edit the persona changing johndoe (nick name) to johnsmith.. even the email. you can create various personas with different names and email addresses after the initial account creation.. so the only "truly" authentic identifier is the OpenID [50] URL, which the initial username (nick) remains part of ..

PS: openid_identity (the users ID server/thingy) is always present in the return parameters after they authenticate.



edited by: InvalidResponse, Mar 08, 2007 - 11:51 PM

--
http://www.invalidresponse.com [51]

well, i decided i'd poke at it and build an auth module for .8 .. the uname field is too small to accomodate the openid_identity, so I had to make that larger (since users can't change that field) .. there's also a check on the uname and email fields that prevent it from being a standard auth module..bummer. so it ends up being a hack, but whatever. if anyone wants to finish it off, take a look at it, or whatever, you can find it here [57] .. it's a working POC, but it's ugly, just the basics.. definitely do not install on a live site ..

ps: read the top of the pnuser.php file




edited by: InvalidResponse, Mar 10, 2007 - 02:51 PM

--
http://www.invalidresponse.com [58]