New Module: OpenID
tkott
Joined: 2010-06-07
Posts: 225 |
Posted: Sun, 2012-05-27 03:08 |
I needed an easy way for friends and family to log into my gallery, without me having to provision users for everyone. This is the first draft of a plugin for Gallery 3 which provides just such a capability. Note that this should absolutely, without a question not be used yet for production sites. This is very beta software. However, I wanted to start the ball rolling. I’ve only tested with Google as the OpenID provider. Currently, the plugin: * Provides a form for normal gallery log in and for OpenID login & registration Some deficiencies, and things that this module doesn’t do: * It doesn’t tie in perfectly into themes (such as the ajax login). Currently you must manually type in the login page (see below). Some hopes and dreams for future versions: * Allow an admin to choose which OpenID buttons are large (currently they must be made by hand, through a helper script). Documentation and download: http://kott.fm/tomek/plugins-extensions/openid/. PLEASE PLEASE read through the documentation: some files need to be changed. Support: either post here, or at http://kott.fm/tomek/forums/forum/openid/ I welcome patches, improvements, comments etc. If you give me a couple patches and I agree with them, I'll give you access to the fossil repository where I keep my source code: http://kott.fm/cgi-bin/fossil/openid/. Tomek |
|
Posts: 27300
This is great!
"$openid = new LightOpenID('kott.fm/gallery');"
can that be done with some code?
$openid = new LightOpenID('item::root()->abs_url()');
or something similar? Im sure that there is a xxx_url function that can be used here or some regex if the http:// is not needed.
@ OpenID buttons
do you need those to be made and donated? I'm misunderstanding.*EDIT* I see those are sprites. I also see the the URL to those sprites is coded someplace as /gallery/modules/openid/images/openid-providers-en.png
the path to my install would be /gallery3/modules/openid/images/openid-providers-en.png Did not look close where that was.
I think a link on the login dialog to the openid page would be better than the form box to enter the URL of your provider. Or was that going to be expanded enhanced?
Thanks!
Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
Posts: 225
Dave,
Thanks for the feedback!
Yes, that's the simplicity I was looking for. I just didn't get around to fixing this -- I wanted a first pass plugin to get feedback on . I've opened a ticket for myself with your suggested change: http://kott.fm/cgi-bin/fossil/openid/tktview?name=9f7cc99b0c.
That's a problematic one, and one which I forgot to document (oops!). It's in the openid/js/openid-jquery.js I believe. Yes, search for
img_path
and change that. I'm not a great JS person, but clearly that needs to be consistent. Maybe abs_url() can be used in this case as well, with changing it in the "openid_login.html.php" file...I'll look into that. I guess I could just use item::root()->url() and then tack on /modules/openid/images, to get the same relative url? Ticket tracked here: http://kott.fm/cgi-bin/fossil/openid/tktview?name=de4f5b9c1eAre you talking about that ajaxified dialog page? If so, then yes, that was one of the things I need to find a way to fix or just automatically go to the html page. Ticket for that here: http://kott.fm/cgi-bin/fossil/openid/tktview?name=31916ee2f4.
Thanks for looking it over and suggesting the abs_url.
Tomek
----
Publish on Gallery 3 (WLPG Plugin) | XMP Module | OpenID Plugin
Posts: 225
BTW, do you have any suggestions on getting the csrf code (so that access::verify_csrf() works) into my custom form without using Forge to create the form? Or perhaps I can create the form using Forge, but then just grab the csrf #, put it into the proper hidden input, and call it a day?
Tomek
----
Publish on Gallery 3 (WLPG) | Modules: XMP, OpenID
Posts: 27300
I think that getting the csrf# from a forge and then using it as a hidden form field is the way to go if this does not work:
$csrf = access::csrf_token();
or using it in a view; your controller could have:
$view->content->csrf = access::csrf_token();
then your view would just need:
<?= $csrf; ?>
Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
Posts: 225
Thanks Dave, that indeed works perfectly. I've managed to fix most of those tickets, and am working on some of the other features, such as avoiding running my own gallery login, and am wondering about another issue I'm having.
When I started the module, I thought I needed to create a driver for the IdentityProvider class. This also required a file identity.php in the config folder. I no longer have the driver for the IdentityProvider class, but when I try to get rid of the identity.php file, my gallery (well, I guess the server) throws 500 errors right and left... I can't even get to a kohana error screen. From what I understand, I shouldn't need this file -- I'm not providing a different IdentityProvider, I'm essentially extending the 'users' module.
Any idea?
Thanks,
Tomek
----
Publish on Gallery 3 (WLPG) | Modules: XMP, OpenID
Posts: 27300
Now you are over my head. I will get Bharat or others to comment.
Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
Posts: 814
tkott, do you have caching enabled? You may want to try and empty the 'caches' table and delete anything in var/tmp/
This will clear out any module caches -- I've encountered this when modifying modules and removing a pivotal item that is no longer needed... The core caches these if set.
James
Posts: 225
James,
Thanks, one of those two did it! Woohoo, another ticket fixed!
Tomek
----
Publish on Gallery 3 (WLPG) | Modules: XMP, OpenID
Posts: 27300
I have finally got around to creating a codex page:
http://codex.gallery2.org/Gallery3:Modules:openid
please feel free to update as you see fit.
Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
Posts: 11
Hi,
I installed this but I have a small problem which I believe to be a bug and a small suggestion.
I have gallery installed under a top level domain name as a virtual server. So my address is like gallery.x.y, i.e., I don't have it under a gallery folder or alias. I changed the base url as in the docs to gallery.x.y, but I still can not get provider icons image file as it seems to try for http://gallery.x.y/gallery/modules/openid/images/openid-providers-en.png. I don't know where /gallery/ comes from? I don't have it in any configuration...
My suggestion is about connecting the usual gallery accounts and openid accounts as in wordpress. It should be possible to add unlimited number of openids under an account and unify the experience.
Best.
Posts: 225
You might want to try the most recent version. The 0.1 version was really a testing bed. I haven't yet released an 0.2 or anything, but the latest might as well be that release. Go to: http://kott.fm/cgi-bin/fossil/openid/info/95f5b4e4f2 (you will have to log in anonymously). I believe in that version, you will no longer see the 'gallery' url problem like you describe.
It's an interesting idea, and it would be possible to build that in, but it is not a priority for me. I'm open to patches though against the newest version available (see link above).
Please let me know of any other bugs.
@dave - thanks for starting that page, I think you hit everything right.
Tomek
----
Publish on Gallery 3 (WLPG) | Modules: XMP, OpenID
Posts: 11
Now it tries to find:
http://gallery.x.y/index.php//modules/openid/images/openid-providers-en.png
and it can't find. Manually trying at the browser address bar, this address seems to work:
http://gallery.x.y/modules/openid/images/openid-providers-en.png
Posts: 225
Hmm. This is where that URL gets set (mostly for my own reference ): http://kott.fm/cgi-bin/fossil/openid/fdiff?v1=6f0f2ca2c3101757&v2=ad51067b4fdd13a9. On my installation, I don't get the 'index.php' part (unclear why), and so things work fine, which explains why I never ran into a problem .
Ok, I think the following change will fix it. Find line 6 in openid/views/openid_login.html.php (the added line in the link above) and change
item::root()->url() . '/modules/openid/images/'
tourl::base() . 'modules/openid/images/'
. That should work (I hope).I'll push it to the code repository eventually, but that should fix it for you for now.
Tomek
----
Publish on Gallery 3 (WLPG) | Modules: XMP, OpenID
Posts: 11
Yes, it worked. Thanks.
Other than that I have one more problem. It takes ages for google openid logins to perform. On the same server with wordpress openid login much faster. With this plugin, firefox stays at "connecting..." for at least 3-4 minutes. Interestingly using yahoo login it is equally fast with wordpress sw. Where do you keep debug logs?
Posts: 11
I've done some tests regarding the openid unification. It seems that changing the user_id in the table openid_ids to the desired user works flawlessly. On the other hand it means that all that needs to be done for openid-(normal user accounts) unification is to design an interface to amend records into the table openid_ids with the desired user_id (and nothing into the table users)...
Am I correct tkott?
PS: Another problem with the google openid login is that it doesn't return correct names (again, yahoo does this correctly). All the values in sql table was the email address. I think there is something wrong with the google openid code...
Posts: 225
I haven't had that problem when using google (in fact the only one I've tested). It always returns quickly for me. Sorry!
Mostly. You would also need to refactor the logic that checks the table. Currently I believe it just looks for one row in the table, but you would either need a list of id's in one row, or many rows with one userid and many openids.
Yes, that is a google shortcoming. I googled around for a bit trying to find a solution, but it appears that google does not easily hand out that information. If you find a solution or workaround, let me know!
Let me know if you want to fork the code, and be able to push back to the repository any changes. I'm very open to collaboration, since the module does pretty much everything that I *need*, so I haven't focused on it recently.
Tomek
----
Publish on Gallery 3 (WLPG) | Modules: XMP, OpenID
Posts: 11
Hello again.
I recently found some more time testing your plugin. Or more precisely, its integratin with the gallery. My recent problem is about reauthentication when a user's session expires. It still takes you to a page (/reauthenticate) where only classical authentication is offered. Is it possible to redirect this to /openid somehow?
Posts: 225
@memgir
Thanks for the further testing. I had completely forgotten about the reauthentication piece of the puzzle. Do you happen to know if this is only relevant for admins or for users as well? I can't promise anything faster than a week or two right now, sorry.
Did you happen to work on combining openid's for normal users?
Tomek
----
Publish on Gallery 3 (WLPG) | Modules: XMP, OpenID
Posts: 11
No problem and I am in no hurry or anything. Just whenever you find some spare time to have a look at it...
I think reauth is for all users but I am not 100% sure.
Unfortunately I couldn't work on the combining thing. If I ever get to work on it, I'll definitely let you know.
Posts: 225
@memgir,
I think I've figured out how to get the reauthentication working. It turns out the reauth is only for admins. Everyone else simply has to log in again. It's a bit late here now, but sometime this week I'll try to finish up some of the changes. If you feel like living on the edge, go to http://kott.fm/cgi-bin/fossil/openid/timeline, click on the most recent check-in, and download the zip file after logging in anonymously (top right hand side of the page).
You'll need to run the upgrader (I needed to change a table), and probably delete & recreate any users that were created by the openid plugin. The key is that the openid_ids table should have actual urls for the "provider" column. If that is not the case, then you will need to either delete/recreate as mentioned, OR take the urls from the modules/openid/js/openid-en.js files for the appropriate entry and update manually. For example, if you had a user_id = 47 that corresponded to id = 7 in the openid_ids table and that user was created by using the google openid provider, you would need to update the provider column for that openid_ids table entry to "https://www.google.com/accounts/o8/id" as listed in the javascript file.
Let me know if you have any questions / bug reports. I tested this by setting the advanced setting "admin_timeout" (or something similar) to 30 seconds. If the URL is set properly, you should not even see the 'reauthenticate' form. It should automatically forward to the provider for validation, and if you are still logged in there, you should seamlessly be forwarded to the admin page requested.
Tomek
----
Publish on Gallery 3 (WLPG) | Modules: XMP, OpenID