Change record status: 
Project: 
Introduced in branch: 
7.x
Introduced in version: 
7.9
Description: 

Alternative OpenID authentication method for invalid Openid accounts transition is a less obtrusive but also less secure (and optional) authentication method. Due to the bug in the OpenID module, wrong identifiers were being saved to the authmap table (affects only particular OpenID providers).

If enabled, Drupal will try to find matching account from the user database using the alternative OpenID identifier matching when the standard OpenID login failed. For alternative matching the identifier from response is modified in a way it used to be saved. If the found site user account and the OpenID account have identical e-mail address (in addition to matching alternative OpenID identifier), Drupal will assign the identifier to the existing user account and login user to the site.

If disabled or when e-mail address doesn't match, user must login to the site using other method, e.g. using ordinary user login or password reset for the one-time temporary login. After login, user could fix the account by himself by re-adding his OpenID identifier and deleting the invalid one.

We recommend to enable the alternative method only for limited period of time to allow users migrate their Openid accounts easily without need of resetting their passwords or contacting the site support. We also recommend to use this method only if you have plenty of users with the invalid openid identifiers in the authmap and if potential breaching their accounts won't have fatal consequences.

You can enable the alternative transition method by setting variable 'openid_less_obtrusive_transition' to TRUE. To do this, put the following line on the end of your settings.php file:

$conf['openid_less_obtrusive_transition'] = TRUE;

Enable only if you upgrade from Drupal 6.x or Drupal 7.8 and below and disable it when most of your users migrate theirs accounts, since the method re-opens potential security vulnerability which was fixed in Drupal 7.9.

How many users are affected on your site?

You can review your authmap table, if you see the authnames like https://openidprovider.com/identifier#fG6X5T5 (notice: https protocol and hash on the end), these are safe. However if you see authnames like http://openidprovider.com/identifier (notice: http protocol and no hash), these accounts are potentially affected by this issue.

Impacts: 
Site builders, administrators, editors
Updates Done (doc team, etc.)
Online documentation: 
Not done
Theming guide: 
Not done
Module developer documentation: 
Not done
Examples project: 
Not done
Coder Review: 
Not done
Coder Upgrade: 
Not done
Other: 
Other updates done