[development] OpenID for core

James Walker walkah at walkah.net
Fri May 25 16:17:58 UTC 2007

Hello world,

So, we've all heard mention that OpenID support is "in the plan" for
Drupal 6 (
http://lists.drupal.org/pipermail/development/2007-May/023616.html ).
Here's an update on where things are:


The "dist auth" system (a la drupal.module) that's been in Drupal
*forever* has some long standing security issues. Essentially they boil
down to the fact that you give the password for your "identity provider"
site (e.g. @drupal.org) to the site where you're logging in. This makes
it very easy for "bad guys" to capture this information and use it to
compromise your @drupal.org (or other) account - with full control.
Because of this, OpenID is not a "drop-in" replacement - it works
fundamentally differently. But, quickly, here are some reasons "why OpenID":

* It's a publicly available, open standard - meaning OpenID for drupal
works with all other openid-supporting systems.
* There is ever-growing momentum behind OpenID - Microsoft, AOL, Sun
have all at least pledged support for OpenID - as well has several
"web2.0" companies and services.
* It addresses the security concerns with drupal's native dist-auth.

Some basic info:
* The issue for tracking is : http://drupal.org/node/131026
* All of the code up for consideration is in the HEAD branch of the
openid module in contrib:
* The module uses all drupal-native code (no external library
dependencies) and implements the 1.x and 2.x authentication protocols as
a "relying party" (see http://openid.net/specs.bml)

* The module form_alters the user_login form (and block) to add a "log
in with OpenID" link and login box where you can enter your OpenID url.
where you can then do a standard login.
* For new accounts - full user_register validation is performed - which
means only valid user accounts are created (unlike current distauth that
creates users without email addresses). This also means if you have
things like required profile fields for registration, people can not
bypass this via openid login. (/me waves to Angie). To simplify this for
users, I've included support for "nickname" and "email" from the "Simple
Registration Extension" - which is supported several major openid providers.
* For existing accounts, when the module is enabled, you will have a
page under "my account" where you can add & remove OpenID's associated
with that user account (and new openids are validated before adding). So
you can use multiple OpenID for existing accounts.

"APIs" (since nothing gets drupal developers going like a new API):

There are two major functions that can be used if you want to do OpenID
authentication for other purposes (say - use OpenID to validate an
"anon" commenter without creating a local user account) :

* openid_begin($claimed_id) : this initiates the openid authentication
(discovery, association and authentication redirect) for the given
"claimed ID".
* openid_complete($response) : this verifies and finalizes the data
returned from the OpenID Provider.

>From my point of view the code is feature complete for a core offering.
Dries has asked me to post here to bring attention to the issue and get
some additional reviews.

(Oh, and I need to add openid.schema as of this morning ;)

Thanks to all that have tested and offered patches/feedback/etc. Can't
wait to see this one land :P
James Walker :: http://walkah.net/ :: xmpp:walkah at walkah.net

More information about the development mailing list