Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By webchick on
After much hard work led by James Walker, OpenID 2.0 support is now in Drupal 6 core!
OpenID is a decentralized, secure single sign-on system. It allows you to create a login at a site you frequent, and use that same login on any other site that supports OpenID. Drupal 5.x and below have supported this with the built-in Drupal module, but OpenID is an open standard, better supported, and more secure.
"Let this be the day where we help revolutionize the online society, and the way websites and web services interoperate. Or something." - Dries
Comments
interesting
OpenID is a nice concept, but it's sort of a chicken/egg thing: nobody has an openID because not enough sites use it, and sites don't use OpenID because most people don't have one. Maybe this will change that.
BTW, if you still don't have an OpenID, FreeYourId has a nice 3 month free trial. I'm not affiliated with them, but I am a customer. It's a pretty good system, you get a .name domain, and they do all the work for you.
--
John Forsythe
Need reliable Drupal hosting?
actually...
...lots of people already have OpenID: All AOL instant messenger users, livejournal users, wordpress.com users - they all have them. Getting OpenIDs are easy. What we need more if is places to use them - and good reasons to use them. That's partly educational - helping people understand why OpenID is beneficial, and it's partly getting lots more openid-enabled sites out there for people to use them with. The latter is really what this work is intended to help out.
--
James Walker
--
James Walker :: http://walkah.net/
that's a good point.
Perhaps it's more an education issue, then. I doubt most AIM users know what OpenID is, let alone know that they've supposedly got one, or how to use it.
--
John Forsythe
Great work James (and
Great work James (and others!), I'm thrilled to see this in Drupal :D
Please elaborate
So what will this "OpenID support" mean?
- the ability for people to log in on your site using OpenID ? (i assume this)
- the ability for your application to delegate an incoming authentication request to another server?
- running an OpenID authentication server on your drupal application?
Thanks,
Dieter
I'm concerned that using
I'm concerned that using OpenID will mean users I haven't personally 'screened' will post spam all over my site... Colour me not convinced just yet...
Pobster
--------------------------------------------
http://www.justgiving.com/paulmaddern
--------------------------------------------
I'm not entirely sure how it
I'm not entirely sure how it works, but I expect that the integration with Drupal will include support for a "whitelist" of which authorities/i-brokers to trust and which to reject.
OpenID is not an account
See An OpenIdD is not an account.
--
The Manual | Troubleshooting FAQ | Tips for posting | How to report a security issue.
Your link has great info!
Thanks Heine for that great link! The best part of the link, IMO, is this:
Walt Esquivel, MBA; MA; President, Wellness Corps; Captain, USMC (Veteran)
$50 Hosting Discount Helps Projects Needing Financing
I guess there are still issues to be worked out.
Some OpenID providers offers multiple identities, others dont. That might pose some issues in itself, especially if they allow several "patterns".
Then there is the issue of the width:
Example: the Wordpress OpenID is something like:
"http://wordpressusername.wordpress.com/"
How will the title of the Navigation block present it?
How wide should the sidebar get, and how should it truncate the OpenID?
For each trusted host, there must be a way of setting a truncation pattern so that the user name or whatever unique is extracted-for-view as the title of the user"name" links. Each OpenID provider may use completely different "patterns". Some just a normal user name, others a web domain as above, etc...
It seems that the Drupal site should offer (or even require?) the user to choose a specific user name anyway, and use OpenID to authenticate without having to store the password on the Drupal site. Is this part of the current implementation?
Update:
I have posted a feature request about better flexibility for user name changes here:
http://drupal.org/node/153317
This might also have relevance to OpenID implementation.
I am still trying to get my head properly around this OpenID thingy, with all its practical uses, implications and concerns.
Seems like what we mostly want is two things:
a) very easy signup for new users (and re-logins), and existing users not needing to update their passwords all over the place? (I see some security concerns with just that, though)
b) a practical way of verifying if "this guy" here on this site is in fact the same "person" as the "other guy over there" with a similar user name (on a different site).
But often we would still want them to register as a "normal" user on our own site.
If we allow an easy "user-less" entry to my site, then he or she starts posting, and within some required(?) time frame that user later creates a proper user account with a user name, how will the first contributions be "logged as"? Will they continue to point to the OpenID, will they appear to be posted by the recently chosen user name? Or am I completely out on a limb here?
.
--
( Evaluating the long-term route for Drupal 7.x via BackdropCMS at https://www.CMX.zone )
Out on a limb
See my site if you'd like to experiment with how it works in the Drupal 5 module.
Basically, logging in via OpenID works just like current @drupal.org authentication -- it always creates a local user account.
Some of the other big picture concerns you mention are too much to elaborate on here, and are part of the larger OpenID spec, having been addressed many times before. Yes, that is a kinder, gentler way of saying "go read more about" :P
For sites that require normal user account registration
What puzzles me is if my impression is correct - that not all OpenID providers would offer multiple identities. This leads me me to wonder if the OpenID "url" itself would then have to be used. I see that this is not the necessary or even desireable effect, but may it happen, or definetely not?
I still wonder if this actually might pose a challenge to truncate long strange user names if they occur in the nick name part of OpenID user profiles. Not an OpenID-only problem, but one that may become more relevant as it spreads?
But in the case of either the site requiring a normal user account registration (as with the current Drupal implementation), and/or against OpenID service providers that offer multiple identities, that works, strictly speaking.
However, my mind is currently mostly fixed on how (or if...) this can simplify initial user login/registrations, and which consequences that may have. It seems that this does not make for a quicker and easier user registration for new users.
On the contrary, it might even slow down the process - especially if email confirmation is required anyway, and if the user is not logged into his OpenID provider.
We might need a browser function that based on if the master password to the browser's password storage has been entered, handles auto-login to the OpenID site when necessary, not just as a plug-in, but as part of any modern browser.
So it seems that the efficiency of the current Drupal OpenID implementation occurs _after_ they are registered and set up with OpenID on multiple sites.
.
--
( Evaluating the long-term route for Drupal 7.x via BackdropCMS at https://www.CMX.zone )
Early adopters
Once a person has an OpenID, they can start looking for the OpenID symbol and use that to login to sites. Yes, these are mainly going to be early adopters.....and the millions of AOL and LiveJournal users :P
And, of course, Drupal sites themselves can act as OpenID servers, using the openid_server module (currently, as James says, 4.7 only, needs to be ported to 5 and 6).
Your comment re: integrating into browsers is likely where the market is headed. Microsoft's CardSpace, which has said it will interoperate with OpenID, will do this. I suspect our friends over at Firefox have similar plans.
OpenID accounts *are* URLs. They are what must be used. The flow goes like this:
1. Have an OpenID, see the symbol, enter OpenID and you have an account (just like @drupal.org today, except it also grabs and sets nickname + email address from OpenID provider). Your OpenID login is like a key, but that just lets you into a "local" Drupal user account
2. There is no step two
No OpenID:
1. Don't have an OpenID / don't know what it means
2. Create a Drupal account the old fashioned way
Get an OpenID later:
1. You get an OpenID and decide you want to login using that instead of your user passa
2. You go into your user account and "bind" an OpenID to that account
3. In the future, you can login either using your regular user/pass, or you can use the OpenID(s) you've bound to your local user profile
OpenID server
OpenID server should be in core alongside the client, as soon as it is ported. I would like the idea of having this functionality be symmetric out of the box; that is, a site could query other servers and provide its own authentication without having to install contributed modules.
If Simple Registration
If Simple Registration Extension is implemented in the consumer and the server also suplies it you can even skip all steps or the ones that OpenID returns data.
A example at http://www.openidenabled.com/software/simple-registration-myopenid/
This is indeed a great news for our Care3G project.
It is planned to have also hook_ on this so we can override some behaviours?
Best,
Lopo
Humaneasy Consulting
www.humaneasy.com
Humaneasy Consulting
iPublicis!COM
www.humaneasy.com
www.ipublicis.com
CSM & CSPO
Security Now Podcast on OpenID
TWiT's Security Now podcast #95 has an interesting discussion on OpenID... http://www.twit.tv/sn95
OpenID - Security Now Podcast
You can get more (a lot more) information on OpenID from the Security Now podcast from Steve Gibson and Leo Laporte.
Hope this helps...
---
Russ @ Maintenance Essentials
---
Russ @ Firewize
More OpenID podcasts...
There was also a podcast about OpenID on hanselminutes back in Feb:
http://www.hanselminutes.com/default.aspx?showID=65
And another one on Net At Night on Twit which had (amongst other things) an interview with the MyOpenID guy, his interview is about half way through the show I think:
http://www.twit.tv/natn16
Both worth listening to if you're interested in this stuff.
Cheers
John Bell
Great news
Great news!
I hope to see more and more drupal powered sites using openid.
BTW.
OpenID is one of the CNet Webware 100 Winner, too - http://www.webware.com/8301-13546_109-9729712-29.html
---
Drupal Theme Garden
This is so great
Being a Drupal AND OpenID user, I'm jazzed to see this happen.
this is fantastic news..
Hi Webchick..
I was just talking to someone about this (the ability to have a distributed login like this) earlier. Amazing to see it will be included in Drupal 6.
Congrats to all involved
Dub.
Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate
It is good news indeed.
It is good news indeed. However, I am a bit nervous with the fact that there is no 2.0 final spec out yet we have implementations for OpenID 2.0. The spec is half baked, with some major questions still remaining and being discussed.
Is this module complaint with the OpenID 2.0 draft as it stands ?
http://rajeev.name/blog
OpenID 2.0
I don't know that "half-baked" is quite accurate on the state of the 2.0 spec... it's pretty close to final. That said, yes, it's true that it is not yet a final spec. I will be tracking any changes, and we'll patch as need be.
For the record, we currently work with Implementor's Draft 11.
--
James Walker :: http://walkah.net/
--
James Walker :: http://walkah.net/
Bot bouncer for OpenID
Use a service like Bot Bouncer to verify OpenIDs.
I'm really happy to see this in Core, great job guys!
P.S.: I wouldn't be surprised to see 100 million OpenIDs by the end of the year. AOL, Microsoft, Livejournal, Verisign... it all adds up.
identity fraud comes closer and closer to use
I have some troubles understanding why OpenID is so great... i learned it is *only* an identity and no trust system. How can i login somebody in my system, give him permissions to post something - maybe in a blog - *without* trusting a remote server??? Every remote server can say "yes" this is "Joe" and it's *not* Joe...
Additional, what will happen if i sell my domain or domain has been touched earlier and i'm now the owner? The future owner will be able to identify as me, while he owns my domain... really big big sh**.
How can i prevent identity fraud?
that's not an OpenID issue
Don't use a URL you don't plan on keeping, then. The problems you describe are by no means unique to OpenID - if you sell your domain name, any account you had with your e-mail address is compromised in the same exact manner - all they have to do is do 'forgot password' and it gets e-mailed right to the new owner of the domain.
Best Drupal news this year!
I think this is absolutely marvellous.
To those of you that are concerned about this technology - remember that this is only a single sign-on solution. It requires a full URL, and therefore it cannot be spoofed.
My current OpenID is mikl.pip.verisignlabs.com - only way to spoof that would be to hack Verisign's system or if they gave the domain away.
I can, however, by way of delegation, use mikkel.hoegh.org as my OpenID say that mikkel.hoegh.org is actually a reference to mikl.pip.verisignlabs.com - so I would use mikkel.hoegh.org as my OpenID, and if I at some decide to change OpenID provider to, say, myOpenID, I'd just change the delegation (It's small bit of HTML you stick in the header for your front page). The only danger here is if I somehow lost control of hoegh.org. But again, no one forces me to use my own domain.
OpenID server
Is there a contrib module to have drupal to be an OpenID server. aka drupal to process auth requests
Also is there plans to convert drupal distributed auth (aka drupal.module) into OpenID?
OpenID server & distributed auth
OpenID server - yes, it's currently 4.7 only ... I'm in the process (and can again turn more focus back to) forward porting stuff to Drupal 5 & HEAD. So the short answer is it's coming :)
Distributed auth - there isn't really a "conversion" to take place... the thing is, it's a fundamentally different approach to authentication. Currently drupal.module's auth bit and openid completely co-exist. Drupal.module distauth will likely be retired to contrib .. but there's not a firm plan for that (yet).
--
James Walker :: http://walkah.net/
--
James Walker :: http://walkah.net/
Can you give us a link to
Can you give us a link to the OpenID server module, please
---
Drupal Themes Live Preview - themegarden.org
For now...
... it's semi-hidden in the DRUPAL-4-7--2 branch of the openid contrib project. I'll fix this to make it more highly visible soon (as part of getting it more fully completed and up to date).
--
James Walker :: http://walkah.net/
--
James Walker :: http://walkah.net/
How good is OpenID compared
How good is OpenID compared to PKI single sign-on solution? I can use my digital certificate anywhere but Drupal for now. Combined with etoken usb stick, it gives far more degree of freedom to user and better control for sysadmins. Should I mention that certificates are great for many more things than just authentication?
Complementing
As far as my current understanding goes, it is not a competitor to PKI, rather complementing it, but even that is further down the road it seems. OpenID may be used and/or further developed into the areas of really secure trust and authentication, but right now that is not its main role.
Ref. the various links to the OpenID documentation here in this thread, and this one:
.
--
( Evaluating the long-term route for Drupal 7.x via BackdropCMS at https://www.CMX.zone )
I smell an API
Yay OpenID!
Hopefully this foreshadows an identification/authentication/authorization backend or API. I'd love to be able to run modules to use SAML other auth goodness between Drupal sites or even other services.
API already there
Drupal has had multiple authentication sources for years, leading back to at least the beginning of the 4.0 series. Core used to ship with many more of them as default.
A SAML module is totally possible today, for Drupal 5. If you look, there are many other auth systems available as modules -- LDAP, CAS, etc. etc.
I hope there will be an
I hope there will be an OpenID server solution for Drupal.
It would be great if we can provide decentralized, secure single sign-on system by using Drupal.
Already available
Please read earlier comments on it being only available for 4.7. Help in porting it forward to Drupal 5 and 6 would be appreciated.
Great
Great News, can't wait for 6!!!
Griffonia|Voacanga Africana seeds |Shea Nuts
re
Thanks for news, Great work James, now I can use OpenID on my website projects that use Drupal core :)
I'm concerned that using
openid.net/about.bml
petermoulding.com/web_architect
petermoulding.com/web_architect
Same issue today
We have the same issue today with the built-in Drupal distributed authentication. With OpenID logins being based on globally unique URLs, it will be even easier to combat spam.
Google tech talk
For those who want to find out more about OpenID Simon Willison gave a Google tech talk on June 25.
That's a great talk.
Highly recommended. (around 40 minutes plus questions - total: 51 minutes)
.
--
( Evaluating the long-term route for Drupal 7.x via BackdropCMS at https://www.CMX.zone )
Shibboleth
Perhaps Shibboleth could be included as a future extension to the Openid code. Shibboleth is popular among universities.
petermoulding.com/web_architect
petermoulding.com/web_architect
That's not an antispam solution
Cause of all the comments above...
Remember that OpenID is a single sign on solution NOT an anti-spam solution!
You're free to create as many OpenID identitys as you want.
Not single sign on
It is not single sign on - it is single password. You still need to sign into each site.
Which brings up my question - when openid providers go bad. If your openid provider suddenly charging huge fees, say for OpenID and popmail access, or sells bloggers out to totalitarian governments, and you resign in disgust, can you/do you need to re-establish your identity on every site you've used it on?
I like the idea - I just want my own server.
Don Robertson
IT Consultant
Phnom Penh
don@robertson.net.nz 012 769 280
Don Robertson
Christchurch, New Zealand
don@robertson.net.nz
021 294 1542
Don, It is a single sign on.
Don,
It is a single sign on. You only authenticate with one server, your openID server. Once singed on you don't need to re-authenticate yourself to every site, just identify yourself and openID handles the authentication.
Here is the problem it solves. If I try to sign up for websites but my favorite usernames are popular I may end up with different usernames for each site. Also, it's a good idea to use different passwords on each site so if one site is compromised the same password cannot be used on another site. It's a pain to have to remember all these different usernames and passwords especially if you use computers at school or cafes that don't have your passwords saved in the browser.
OpenID solves this because ID namespaces are globally unique just like email so I only need to use one ID for every site and my openID will always be available on that site. Also, the password issue is solved because you don't need to use a password to login to each site.
As for the bad provider problem, most sites that use openID do so as an alternate means to sign on. Those sites probably still allow or require a username and password during registration so you can change your openID identity on that site. Unfortunately you'd have to do this on every site you've associated with the old openID. You wouldn't have to remember your passwords though, just jot them down on an encrypted text file and store them away. After all, you'll only need them in a case when openID login is impossible.
Will enabling OpenID support
Will enabling OpenID support mean that anyone with an OpenID can login or will there still be access controls? For instance, I'd like to offer users the convenience of OpenID login while still requiring administrative approval or requiring an invitation using the invite module.
I found the answer. OpenID
I found the answer. OpenID replaces the username/password login but does not automatically give anyone with an OpenID user level access to the site. Registration is still necessary either directly on the site itself or through the site requesting required registration information from the OpenID provider.
OpenID in Drupal 6 is still
OpenID in Drupal 6 is still not handling URLs properly for new user registration. I hope this is fixed before Drupal 6 is released.
http://drupal.org/node/216101
J
OpenID 2.0 Not Working In Drupal 6
Oh well......
OpenID 2.0 support is still broken.
I'm sure OpenID 1.x stuff works fine but haven't tested that.
http://drupal.org/node/216101
Even though I filed this bug 2 weeks ago, I think the complete fix may require more revision of the login/register
flow than was practical for this release. Still, it'd be nice to see Drupal on the leading edge here instead of
floundering with a broken implementation.
-J
This is really nice! I hope
This is really nice! I hope OpenID can get more buzz in the future..
OpenID on Drupal 6, does it really work?
I have just installed Drupal 6.2 and also enabled the OpenID module,
however I can't manage to login using my Yahoo identity.
Any ideas of what else I may need to enable?
My URL?
http://blog.ventanaurbana.com
Drupal 6, VerySign Labs Open ID, BUG?
With Yahoo OpenId I Couldn't log in (Invalid char in the login name), but I could with VeriSign Labs' Personal Identity Portal - https://pip.verisignlabs.com/.
I see only one problem (And I think is important): in my site I have the User Setting in "Visitors can create accounts but administrator approval is required." however I registered myself using OpenId Module, and when I went back to my site I was loged in, and with Authenticated User Role!, with all the permissions. In the User List, I'm listed like "blocked" but it is a lie, I'm not blocked.
I Couldn't find the Issue page for Open ID, where is it?.
Thank you!
Alek
OpenID on drupal.org
Wouldn't it be nice to see it in action on drupal.org itself? (I just set up my drupal.org account and was wondering whether I may log on using OpenID ;-))
Drupal version suggestion for single sign on
We are working on site which already have phpbb and wordpress application.
Now we are using drupal for integrating this two applications , we are using drupal 5.10 with openid module.
Our main purpose is to have signle sign on.
My query is
a) is there any advantage of drupal 6 over drupal 5.10 in terms of open ID module
b) is it possible to achieve single signon using OpenID and drupal, i mean once user login to Drupal and then it should automatically login to phpbb and wordpress application.
Is this possible , any approach or thoughts on this requirement.
Please respond
Great news!
Great news!