Build Service/OpenID GSOC Implementation

From openSUSE

OpenID Implementation, GSOC 2009

Prototype

Features

The prototype should have the following features

• Exisiting users can add their openid
  • Store one to many mappings from the user to openids
  • Verifying the openid - using the ruby openid gem
• Existing users will be able to login via their openid
  • Study the existing login code
  • Modify the code to support open-id login

Implementation

• OpenID login will be implemented on the Frontend.
  • The Frontend owns the authentication, so somehow the user has to log in to thefrontend anyway.
  • API users cant rely on the Webclient for authentication
  • Transferring credentials is dangerous, so the less we have to do it the better.

• OpenID Login Workflow
  • User will see a Login form on the Webclient to fill in the OpenID url.
  • Webclient will submit a POST request to the Frontend for authentication.
  • Frontend will redirect to the Provider.
  • On successful response from the Provider, Frontend will redirect to the Webclient with an API key.
  • API key along with the OpenID url, will be used by the Webclientto communicate with the Frontend. (Basically OpenID url == Login and API == encoded password)
  • If Provider gives a negative response, the Frontend will redirect to the Webclient without any API key.

Support for Native Clients

Native clients won't be able to use OpenID directly. But they should be able to use something based on OpenID, so the user doesn't need an extra account. That's why an API key will be be provided to users logged in via OpenID. To obtain the API key the user will log in via OpenID in a browser and will see the key in a web page. So the user would have to copy and paste it. Not perfect, but it will work and is better than the current way, where the user has to give the Novell login credentials to the command line client, which stores it on disk.

How does OpenID work in opensuse ?

OpenID Verification Process

To verify the openid the following steps occur:

• Webclient redirects to the frontend, without passing and authentication headers
• Frontend communicates to the provider.
• If provider authenticates the user, frontend does the following things:
  • generates an authentication token for the openid, which has a definite expiry time.
  • stores the verified openid along with the authentication token in the database.
  • redirects back to the webclient passing it the authentication token and result(in this case true).
• If provider doesn't authenticates the user, frontend redirects back to the webclient passing the result(in this case false)

OpenID Mapping Process

• The webclient initiates the verification process described above.
• on successful verification, the webclient sends a transport GET request to the frontend, for storing the openid_identifier in the user table.
• this request includes the authentication token that was generated and passed on by the frontend.
• If the authentication token is still active, the frontend will store the openid in the user table.

OpenID Login Process

For the prototype, only the mapped openids can be used for login.

• The webclient will initiate a verification process with the frontend.

• On successful verification:
  • Find the user associated with the openid.
  • store the login, openid and authentication token in the session if the user is found.(WebClient)
  • prepare the authentication hash like 'Openid ' + Base64.encode64(identity:authtoken)(WebClient)
  • parse the Authentication header for identity and authtoken(FrontEnd)
  • if authtoken is active, find the user via the openid url(FrontEnd)
  • person/openid/:identity as an alternative route to user info (FrontEnd)

Using Login

Note: The openid authentication process stores the login of the user in the session on successful verification.

Setting login in the session is necessary because session[:login] has been used many times in the code. Replacing the session[:login] every where would be nasty.

Login will only be present for users who create a mapping for openid. Users who login via openid for the first time will not have a login. Thus login for such users will be created automatically, to ensure all users have login.

Trying it out

The current version of openid will allow you to map your login to an OpenID. Once a mapping is created you will be able to login via the mapped OpenID.

Installation

• Checkout the OpenId branch
  • svn co https://forgesvn1.novell.com/svn/opensuse/branches/buildservice/openid

• Configure the frontend database
  • Change the development mode settings in openid/src/frontend/config/database.yml

• migrate the frontend database:
  • cd openid/src/frontend
  • rake db:create
  • rake db:migrate

• Configure the webclient to use local frontend
  • edit the file openid/src/webclient/config/environments/development_base.rb
  • set FRONTEND_HOST = "localhost"
  • set FRONTEND_PORT = 3000
  • FRONTEND_PROTOCOL = 'http'

• Run the frontend on port 3000
  • cd openid/src/frontend
  • ./script/server

• Run the webclient on port 4000
  • cd openid/src/webclient
  • ./script/server -p 4000

Workflow

• Open the web browser and goto localhost:4000
• Login via user-name(Admin) and password(opensuse)
• Go to you homepage (by clicking on your user name, top right)
• Click on the Map OpenID
• Enter your OpenID
• Once the mapping is created, logout.
• Now try logging in via the OpenID you mapped.