After much hard work led by James Walker, OpenID 2.0 support is now in Drupal 6 core!

OpenID is a decentralized, secure single sign-on system. It allows you to create a login at a site you frequent, and use that same login on any other site that supports OpenID. Drupal 5.x and below have supported this with the built-in Drupal module, but OpenID is an open standard, better supported, and more secure.

"Let this be the day where we help revolutionize the online society, and the way websites and web services interoperate. Or something." - Dries

Comments

JohnForsythe’s picture

OpenID is a nice concept, but it's sort of a chicken/egg thing: nobody has an openID because not enough sites use it, and sites don't use OpenID because most people don't have one. Maybe this will change that.

BTW, if you still don't have an OpenID, FreeYourId has a nice 3 month free trial. I'm not affiliated with them, but I am a customer. It's a pretty good system, you get a .name domain, and they do all the work for you.

--
John Forsythe
Need reliable Drupal hosting?

walkah’s picture

...lots of people already have OpenID: All AOL instant messenger users, livejournal users, wordpress.com users - they all have them. Getting OpenIDs are easy. What we need more if is places to use them - and good reasons to use them. That's partly educational - helping people understand why OpenID is beneficial, and it's partly getting lots more openid-enabled sites out there for people to use them with. The latter is really what this work is intended to help out.
--
James Walker

--
James Walker :: http://walkah.net/

JohnForsythe’s picture

Perhaps it's more an education issue, then. I doubt most AIM users know what OpenID is, let alone know that they've supposedly got one, or how to use it.

--
John Forsythe

breyten’s picture

Great work James (and others!), I'm thrilled to see this in Drupal :D

Dieter_be’s picture

So what will this "OpenID support" mean?
- the ability for people to log in on your site using OpenID ? (i assume this)
- the ability for your application to delegate an incoming authentication request to another server?
- running an OpenID authentication server on your drupal application?

Thanks,
Dieter

pobster’s picture

I'm concerned that using OpenID will mean users I haven't personally 'screened' will post spam all over my site... Colour me not convinced just yet...

Pobster

--------------------------------------------
http://www.justgiving.com/paulmaddern
--------------------------------------------

cburschka’s picture

I'm not entirely sure how it works, but I expect that the integration with Drupal will include support for a "whitelist" of which authorities/i-brokers to trust and which to reject.

Walt Esquivel’s picture

Thanks Heine for that great link! The best part of the link, IMO, is this:

Most web application signup processes work something like this:

1. Bob selects a username
2. Bob enters a password, twice
3. Bob enters his e-mail address
4. Bob clicks a validation link in an e-mail sent to that address

Some sites throw a CAPTCHA in there for good measure.

OpenID replaces at most the first two steps of that registration process. Instead of having a user set up a new password you get them to authenticate with their OpenID at the start of the process. After that you might still want them to pick a username (especially if you are integrating OpenID in to an existing account system) and you’ll almost certainly want them to jump through the e-mail and/or CAPTCHA steps.

In the future, they can sign in to your site using their OpenID rather than having to dig around for whichever username and password they used.

Walt Esquivel, MBA; MA; President, Wellness Corps; Captain, USMC (Veteran)
$50 Hosting Discount Helps Projects Needing Financing

Leeteq’s picture

Some OpenID providers offers multiple identities, others dont. That might pose some issues in itself, especially if they allow several "patterns".

Then there is the issue of the width:
Example: the Wordpress OpenID is something like:
"http://wordpressusername.wordpress.com/"

How will the title of the Navigation block present it?
How wide should the sidebar get, and how should it truncate the OpenID?
For each trusted host, there must be a way of setting a truncation pattern so that the user name or whatever unique is extracted-for-view as the title of the user"name" links. Each OpenID provider may use completely different "patterns". Some just a normal user name, others a web domain as above, etc...

It seems that the Drupal site should offer (or even require?) the user to choose a specific user name anyway, and use OpenID to authenticate without having to store the password on the Drupal site. Is this part of the current implementation?

Update:
I have posted a feature request about better flexibility for user name changes here:
http://drupal.org/node/153317
This might also have relevance to OpenID implementation.

I am still trying to get my head properly around this OpenID thingy, with all its practical uses, implications and concerns.

Seems like what we mostly want is two things:

a) very easy signup for new users (and re-logins), and existing users not needing to update their passwords all over the place? (I see some security concerns with just that, though)

b) a practical way of verifying if "this guy" here on this site is in fact the same "person" as the "other guy over there" with a similar user name (on a different site).

But often we would still want them to register as a "normal" user on our own site.
If we allow an easy "user-less" entry to my site, then he or she starts posting, and within some required(?) time frame that user later creates a proper user account with a user name, how will the first contributions be "logged as"? Will they continue to point to the OpenID, will they appear to be posted by the recently chosen user name? Or am I completely out on a limb here?

.
--
(A: Recruiting bi-lingual Spanish/English Drupal experts for a global project.
B: Inviting "minipreneurs" and DrupalExpert-wannabees to the same project.)

Boris Mann’s picture

See my site if you'd like to experiment with how it works in the Drupal 5 module.

Basically, logging in via OpenID works just like current @drupal.org authentication -- it always creates a local user account.

Some of the other big picture concerns you mention are too much to elaborate on here, and are part of the larger OpenID spec, having been addressed many times before. Yes, that is a kinder, gentler way of saying "go read more about" :P

Leeteq’s picture

What puzzles me is if my impression is correct - that not all OpenID providers would offer multiple identities. This leads me me to wonder if the OpenID "url" itself would then have to be used. I see that this is not the necessary or even desireable effect, but may it happen, or definetely not?

I still wonder if this actually might pose a challenge to truncate long strange user names if they occur in the nick name part of OpenID user profiles. Not an OpenID-only problem, but one that may become more relevant as it spreads?

But in the case of either the site requiring a normal user account registration (as with the current Drupal implementation), and/or against OpenID service providers that offer multiple identities, that works, strictly speaking.

However, my mind is currently mostly fixed on how (or if...) this can simplify initial user login/registrations, and which consequences that may have. It seems that this does not make for a quicker and easier user registration for new users.

On the contrary, it might even slow down the process - especially if email confirmation is required anyway, and if the user is not logged into his OpenID provider.

We might need a browser function that based on if the master password to the browser's password storage has been entered, handles auto-login to the OpenID site when necessary, not just as a plug-in, but as part of any modern browser.

So it seems that the efficiency of the current Drupal OpenID implementation occurs _after_ they are registered and set up with OpenID on multiple sites.

.
--
(A: Recruiting bi-lingual Spanish/English Drupal experts for a global project.
B: Inviting "minipreneurs" and DrupalExpert-wannabees to the same project.)

Boris Mann’s picture

Once a person has an OpenID, they can start looking for the OpenID symbol and use that to login to sites. Yes, these are mainly going to be early adopters.....and the millions of AOL and LiveJournal users :P

And, of course, Drupal sites themselves can act as OpenID servers, using the openid_server module (currently, as James says, 4.7 only, needs to be ported to 5 and 6).

Your comment re: integrating into browsers is likely where the market is headed. Microsoft's CardSpace, which has said it will interoperate with OpenID, will do this. I suspect our friends over at Firefox have similar plans.

OpenID accounts *are* URLs. They are what must be used. The flow goes like this:
1. Have an OpenID, see the symbol, enter OpenID and you have an account (just like @drupal.org today, except it also grabs and sets nickname + email address from OpenID provider). Your OpenID login is like a key, but that just lets you into a "local" Drupal user account
2. There is no step two

No OpenID:
1. Don't have an OpenID / don't know what it means
2. Create a Drupal account the old fashioned way

Get an OpenID later:
1. You get an OpenID and decide you want to login using that instead of your user passa
2. You go into your user account and "bind" an OpenID to that account
3. In the future, you can login either using your regular user/pass, or you can use the OpenID(s) you've bound to your local user profile

cburschka’s picture

OpenID server should be in core alongside the client, as soon as it is ported. I would like the idea of having this functionality be symmetric out of the box; that is, a site could query other servers and provide its own authentication without having to install contributed modules.

lopolencastredealmeida’s picture

If Simple Registration Extension is implemented in the consumer and the server also suplies it you can even skip all steps or the ones that OpenID returns data.

A example at http://www.openidenabled.com/software/simple-registration-myopenid/

This is indeed a great news for our Care3G project.

It is planned to have also hook_ on this so we can override some behaviours?

Best,
Lopo

Humaneasy Consulting
www.humaneasy.com

Humaneasy Consulting
iPublicis!COM
www.humaneasy.com
www.ipublicis.com

CSM & CSPO

alpritt’s picture

TWiT's Security Now podcast #95 has an interesting discussion on OpenID... http://www.twit.tv/sn95

rport’s picture

You can get more (a lot more) information on OpenID from the Security Now podcast from Steve Gibson and Leo Laporte.

Hope this helps...

---
Russ @ Maintenance Essentials

J.B’s picture

There was also a podcast about OpenID on hanselminutes back in Feb:
http://www.hanselminutes.com/default.aspx?showID=65

And another one on Net At Night on Twit which had (amongst other things) an interview with the MyOpenID guy, his interview is about half way through the show I think:
http://www.twit.tv/natn16

Both worth listening to if you're interested in this stuff.
Cheers
John Bell

themegarden.org’s picture

Great news!
I hope to see more and more drupal powered sites using openid.

BTW.
OpenID is one of the CNet Webware 100 Winner, too - http://www.webware.com/8301-13546_109-9729712-29.html
---
Drupal Theme Garden

damnian’s picture

Being a Drupal AND OpenID user, I'm jazzed to see this happen.

Dublin Drupaller’s picture

Hi Webchick..

I was just talking to someone about this (the ability to have a distributed login like this) earlier. Amazing to see it will be included in Drupal 6.

Congrats to all involved

Dub.

Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate

kreaper’s picture

It is good news indeed. However, I am a bit nervous with the fact that there is no 2.0 final spec out yet we have implementations for OpenID 2.0. The spec is half baked, with some major questions still remaining and being discussed.

Is this module complaint with the OpenID 2.0 draft as it stands ?

http://rajeev.name/blog

walkah’s picture

I don't know that "half-baked" is quite accurate on the state of the 2.0 spec... it's pretty close to final. That said, yes, it's true that it is not yet a final spec. I will be tracking any changes, and we'll patch as need be.

For the record, we currently work with Implementor's Draft 11.
--
James Walker :: http://walkah.net/

--
James Walker :: http://walkah.net/

Robin Millette’s picture

Use a service like Bot Bouncer to verify OpenIDs.

I'm really happy to see this in Core, great job guys!

P.S.: I wouldn't be surprised to see 100 million OpenIDs by the end of the year. AOL, Microsoft, Livejournal, Verisign... it all adds up.

hass’s picture

I have some troubles understanding why OpenID is so great... i learned it is *only* an identity and no trust system. How can i login somebody in my system, give him permissions to post something - maybe in a blog - *without* trusting a remote server??? Every remote server can say "yes" this is "Joe" and it's *not* Joe...

Additional, what will happen if i sell my domain or domain has been touched earlier and i'm now the owner? The future owner will be able to identify as me, while he owns my domain... really big big sh**.

How can i prevent identity fraud?

ceejayoz’s picture

Don't use a URL you don't plan on keeping, then. The problems you describe are by no means unique to OpenID - if you sell your domain name, any account you had with your e-mail address is compromised in the same exact manner - all they have to do is do 'forgot password' and it gets e-mailed right to the new owner of the domain.

mikl’s picture

I think this is absolutely marvellous.

To those of you that are concerned about this technology - remember that this is only a single sign-on solution. It requires a full URL, and therefore it cannot be spoofed.

My current OpenID is mikl.pip.verisignlabs.com - only way to spoof that would be to hack Verisign's system or if they gave the domain away.

I can, however, by way of delegation, use mikkel.hoegh.org as my OpenID say that mikkel.hoegh.org is actually a reference to mikl.pip.verisignlabs.com - so I would use mikkel.hoegh.org as my OpenID, and if I at some decide to change OpenID provider to, say, myOpenID, I'd just change the delegation (It's small bit of HTML you stick in the header for your front page). The only danger here is if I somehow lost control of hoegh.org. But again, no one forces me to use my own domain.

gopherspidey’s picture

Is there a contrib module to have drupal to be an OpenID server. aka drupal to process auth requests

Also is there plans to convert drupal distributed auth (aka drupal.module) into OpenID?

walkah’s picture

OpenID server - yes, it's currently 4.7 only ... I'm in the process (and can again turn more focus back to) forward porting stuff to Drupal 5 & HEAD. So the short answer is it's coming :)

Distributed auth - there isn't really a "conversion" to take place... the thing is, it's a fundamentally different approach to authentication. Currently drupal.module's auth bit and openid completely co-exist. Drupal.module distauth will likely be retired to contrib .. but there's not a firm plan for that (yet).
--
James Walker :: http://walkah.net/

--
James Walker :: http://walkah.net/

themegarden.org’s picture

Can you give us a link to the OpenID server module, please
---
Drupal Themes Live Preview - themegarden.org

walkah’s picture

... it's semi-hidden in the DRUPAL-4-7--2 branch of the openid contrib project. I'll fix this to make it more highly visible soon (as part of getting it more fully completed and up to date).
--
James Walker :: http://walkah.net/

--
James Walker :: http://walkah.net/

LuckyOne’s picture

How good is OpenID compared to PKI single sign-on solution? I can use my digital certificate anywhere but Drupal for now. Combined with etoken usb stick, it gives far more degree of freedom to user and better control for sysadmins. Should I mention that certificates are great for many more things than just authentication?

Leeteq’s picture

As far as my current understanding goes, it is not a competitor to PKI, rather complementing it, but even that is further down the road it seems. OpenID may be used and/or further developed into the areas of really secure trust and authentication, but right now that is not its main role.

Ref. the various links to the OpenID documentation here in this thread, and this one:

"The real problem, as many have pointed out, is that there is no real trustworthy authority in the spec; no certificates from a well-known CA, for example. All you're trusting is that the domain of the OpenID provider is not really messed up technically, and that the person behind the identity is who they say they are. But nobody's vouching for anyone else, or saying that that person isn't some scammer in Nigeria."
http://www.digitalinfrastructure.ziffdavis.com/article/OpenID+and+VoIP/2...

.
--
(A: Recruiting bi-lingual Spanish/English Drupal experts for a global project.
B: Inviting "minipreneurs" and DrupalExpert-wannabees to the same project.)

Paul Natsuo Kishimoto’s picture

Yay OpenID!

Hopefully this foreshadows an identification/authentication/authorization backend or API. I'd love to be able to run modules to use SAML other auth goodness between Drupal sites or even other services.

Boris Mann’s picture

Drupal has had multiple authentication sources for years, leading back to at least the beginning of the 4.0 series. Core used to ship with many more of them as default.

A SAML module is totally possible today, for Drupal 5. If you look, there are many other auth systems available as modules -- LDAP, CAS, etc. etc.

erdem’s picture

I hope there will be an OpenID server solution for Drupal.
It would be great if we can provide decentralized, secure single sign-on system by using Drupal.

Boris Mann’s picture

Please read earlier comments on it being only available for 4.7. Help in porting it forward to Drupal 5 and 6 would be appreciated.

mrbert’s picture

Great News, can't wait for 6!!!

Griffonia|Voacanga Africana seeds |Shea Nuts

tomekg’s picture

Thanks for news, Great work James, now I can use OpenID on my website projects that use Drupal core :)

peterx’s picture

What about spam?

Somebody could run their own identity server that says they're http://spammer.example.com/000001/ all the way to http://spammer.example.com/999999/ and that's not a goal of this system to prevent. It's another layer's job to say the identities with URL spammer.example.com/* is a spammer, or some ID server is a known spammer, or some particular identity is a known spammer.

openid.net/about.bml

petermoulding.com/web_architect

Boris Mann’s picture

We have the same issue today with the built-in Drupal distributed authentication. With OpenID logins being based on globally unique URLs, it will be even easier to combat spam.

canen’s picture

For those who want to find out more about OpenID Simon Willison gave a Google tech talk on June 25.

Leeteq’s picture

Highly recommended. (around 40 minutes plus questions - total: 51 minutes)

.
--
(A: Recruiting bi-lingual Spanish/English Drupal experts for a global project.
B: Inviting "minipreneurs" and DrupalExpert-wannabees to the same project.)

peterx’s picture

Perhaps Shibboleth could be included as a future extension to the Openid code. Shibboleth is popular among universities.

petermoulding.com/web_architect

rainer_f’s picture

Cause of all the comments above...
Remember that OpenID is a single sign on solution NOT an anti-spam solution!
You're free to create as many OpenID identitys as you want.

Don Robertson’s picture

It is not single sign on - it is single password. You still need to sign into each site.

Which brings up my question - when openid providers go bad. If your openid provider suddenly charging huge fees, say for OpenID and popmail access, or sells bloggers out to totalitarian governments, and you resign in disgust, can you/do you need to re-establish your identity on every site you've used it on?

I like the idea - I just want my own server.

Don Robertson
IT Consultant
Phnom Penh
don@robertson.net.nz 012 769 280

Don Robertson
Christchurch, New Zealand
don@robertson.net.nz 021 294 1542

kylehase’s picture

Don,

It is a single sign on. You only authenticate with one server, your openID server. Once singed on you don't need to re-authenticate yourself to every site, just identify yourself and openID handles the authentication.

Here is the problem it solves. If I try to sign up for websites but my favorite usernames are popular I may end up with different usernames for each site. Also, it's a good idea to use different passwords on each site so if one site is compromised the same password cannot be used on another site. It's a pain to have to remember all these different usernames and passwords especially if you use computers at school or cafes that don't have your passwords saved in the browser.

OpenID solves this because ID namespaces are globally unique just like email so I only need to use one ID for every site and my openID will always be available on that site. Also, the password issue is solved because you don't need to use a password to login to each site.

As for the bad provider problem, most sites that use openID do so as an alternate means to sign on. Those sites probably still allow or require a username and password during registration so you can change your openID identity on that site. Unfortunately you'd have to do this on every site you've associated with the old openID. You wouldn't have to remember your passwords though, just jot them down on an encrypted text file and store them away. After all, you'll only need them in a case when openID login is impossible.

kylehase’s picture

Will enabling OpenID support mean that anyone with an OpenID can login or will there still be access controls? For instance, I'd like to offer users the convenience of OpenID login while still requiring administrative approval or requiring an invitation using the invite module.

kylehase’s picture

I found the answer. OpenID replaces the username/password login but does not automatically give anyone with an OpenID user level access to the site. Registration is still necessary either directly on the site itself or through the site requesting required registration information from the OpenID provider.

slimandslam’s picture

OpenID in Drupal 6 is still not handling URLs properly for new user registration. I hope this is fixed before Drupal 6 is released.

http://drupal.org/node/216101

J

slimandslam’s picture

Oh well......
OpenID 2.0 support is still broken.
I'm sure OpenID 1.x stuff works fine but haven't tested that.

http://drupal.org/node/216101

Even though I filed this bug 2 weeks ago, I think the complete fix may require more revision of the login/register
flow than was practical for this release. Still, it'd be nice to see Drupal on the leading edge here instead of
floundering with a broken implementation.

-J

MindTooth’s picture

This is really nice! I hope OpenID can get more buzz in the future..

alengua’s picture

I have just installed Drupal 6.2 and also enabled the OpenID module,
however I can't manage to login using my Yahoo identity.

Any ideas of what else I may need to enable?

My URL?
http://blog.ventanaurbana.com

alek123’s picture

With Yahoo OpenId I Couldn't log in (Invalid char in the login name), but I could with VeriSign Labs' Personal Identity Portal - https://pip.verisignlabs.com/.

I see only one problem (And I think is important): in my site I have the User Setting in "Visitors can create accounts but administrator approval is required." however I registered myself using OpenId Module, and when I went back to my site I was loged in, and with Authenticated User Role!, with all the permissions. In the User List, I'm listed like "blocked" but it is a lie, I'm not blocked.

I Couldn't find the Issue page for Open ID, where is it?.

Thank you!

Alek

php.guru’s picture

Wouldn't it be nice to see it in action on drupal.org itself? (I just set up my drupal.org account and was wondering whether I may log on using OpenID ;-))

dtester’s picture

We are working on site which already have phpbb and wordpress application.

Now we are using drupal for integrating this two applications , we are using drupal 5.10 with openid module.
Our main purpose is to have signle sign on.

My query is
a) is there any advantage of drupal 6 over drupal 5.10 in terms of open ID module
b) is it possible to achieve single signon using OpenID and drupal, i mean once user login to Drupal and then it should automatically login to phpbb and wordpress application.
Is this possible , any approach or thoughts on this requirement.
Please respond

clemoine’s picture

Great news!