From the Drupal list: OpenID login architecture questions

Here's something interesting from the Drupal development list.

While I would rather see an i-name or YADIS login since OpenID has no
capability for profile data sharing, nonetheless OpenID has a large number of
users (via LiveJournal) and they are attacking a problem that many sites will
experience: how to distribute currently centralized passworded authentication.
 In particular, Drupal enjoys a very large user base and creating a better
login for Drupal would help us all.

I've heard there's an i-name Drupal login project underway - hopefully I am
not mistaken.  Is there also a YADIS login project?  Is there anyone on either
team who might be able to offer some insights here?

Over the longer term, my hope is that OpenID migrates towards YADIS (which is
more i-name friendly) but for now, helping one helps us all.

=Fen


-------- Original Message --------
Date: Thu,  9 Feb 2006 14:21:54 -0800
From: Jonathan Daugherty <cygnus@xxxxxxxxxxx>
To: development@xxxxxxxxxx
Subject: [development] OpenID


Greetings,

A few months ago, a co-worker of mine created a Drupal module to
support OpenID logins.  The module was based on Dan Libby's PHP OpenID
library.  For anyone wanting to catch up, it was discussed here:

  http://drupal.org/node/33254

Some other OpenID discussion is here:

  http://drupal.org/node/23256

I've taken over the development of the module and I've updated the
module to use the JanRain PHP OpenID implementation, which is a
feature-complete port of our Python library.  Our PHP library can be
found here:

  http://www.openidenabled.com/openid/libraries/php

Here is a link to the current module source, which is under fairly
heavy development:

  http://www.openidenabled.com/resources/downloads/php-openid/openid.module

Since authentication in general is probably a topic of considerable
interest to you all, I want to be sure the OpenID module measures up.
I've tried to be sure I understand Drupal's authentication internals
and the role OpenID can play, but please correct me where appropriate.
Here are some notes about the module:

 - The plugin declares a block hook and provides a one-field OpenID
   login form that appears in the left navbar.  The module is not
   really an authentication module because it doesn't declare an
   appropriate authentication hook (username@server syntax won't work
   for OpenID).  Various other callbacks in the module handle the
   OpenID authentication steps and set $user when appropriate.

 - If you log in with an OpenID and don't have a local Drupal account,
   an account is created for you with the appropriate authmap record.
   However, you'll be prompted for an email address upon successful
   OpenID authentication *before* the Drupal account is created.  (My
   goal here is to make sure any kind of profile info needed is
   collected before the OpenID-auth'd user is allowed into Drupal.)

 - My major concern is how to blend OpenID with existing accounts so
   users can choose to use OpenID for their accounts.  On my drupal
   installation, I can log in with a username and password or OpenID
   to access the same account, provided the appropriate authmap record
   is present (which I created manually).  The use case we can think
   of here is, "I'm already known as johnboy on this Drupal
   installation, but I want to access the johnboy account with an
   OpenID now.  How can I tell Drupal about that?"  I'm thinking that
   the OpenID module can implement a form to let users configure this,
   but it will probably involve setting the users.pass field to NULL.

What do you think?  Do you have any recommendations for how we should
go about doing this?  What would be consistent for your futuristic
vision of Drupal authentication?  Any feedback would be much
appreciated.

Thanks!

--
  Jonathan Daugherty
  JanRain, Inc.


-- 
http://public.xdi.org/=Fen.Labalme