[development] OpenID

Thu Feb 9 22:21:54 UTC 2006

Greetings,

A few months ago, a co-worker of mine created a Drupal module to
support OpenID logins.  The module was based on Dan Libby's PHP OpenID
library.  For anyone wanting to catch up, it was discussed here:

  http://drupal.org/node/33254

Some other OpenID discussion is here:

  http://drupal.org/node/23256

I've taken over the development of the module and I've updated the
module to use the JanRain PHP OpenID implementation, which is a
feature-complete port of our Python library.  Our PHP library can be
found here:

  http://www.openidenabled.com/openid/libraries/php

Here is a link to the current module source, which is under fairly
heavy development:

  http://www.openidenabled.com/resources/downloads/php-openid/openid.module

Since authentication in general is probably a topic of considerable
interest to you all, I want to be sure the OpenID module measures up.
I've tried to be sure I understand Drupal's authentication internals
and the role OpenID can play, but please correct me where appropriate.
Here are some notes about the module:

 - The plugin declares a block hook and provides a one-field OpenID
   login form that appears in the left navbar.  The module is not
   really an authentication module because it doesn't declare an
   appropriate authentication hook (username at server syntax won't work
   for OpenID).  Various other callbacks in the module handle the
   OpenID authentication steps and set $user when appropriate.

 - If you log in with an OpenID and don't have a local Drupal account,
   an account is created for you with the appropriate authmap record.
   However, you'll be prompted for an email address upon successful
   OpenID authentication *before* the Drupal account is created.  (My
   goal here is to make sure any kind of profile info needed is
   collected before the OpenID-auth'd user is allowed into Drupal.)

 - My major concern is how to blend OpenID with existing accounts so
   users can choose to use OpenID for their accounts.  On my drupal
   installation, I can log in with a username and password or OpenID
   to access the same account, provided the appropriate authmap record
   is present (which I created manually).  The use case we can think
   of here is, "I'm already known as johnboy on this Drupal
   installation, but I want to access the johnboy account with an
   OpenID now.  How can I tell Drupal about that?"  I'm thinking that
   the OpenID module can implement a form to let users configure this,
   but it will probably involve setting the users.pass field to NULL.

What do you think?  Do you have any recommendations for how we should
go about doing this?  What would be consistent for your futuristic
vision of Drupal authentication?  Any feedback would be much
appreciated.

Thanks!

--
  Jonathan Daugherty
  JanRain, Inc.