OpenID

Download & uncompress

• 9.12 or higher: Check out from the SVN tree.  (You may already find this in /var/www/mindtouch/contrib on a VM)
  You then need to install the following:
  • Copy dist/mindtouch.contrib.openid.dll to /var/www/dekiwiki/bin/services/
    • the /dist files may be found at this svn path
  • Copy dist/DotNetOpenId.dll to /var/www/dekiwiki/bin/
  • Copy plugins/ to /var/www/dekiwiki/deki/
• 9.08: Download the latest zip file from the bottom of this page and uncompress to your Deki installation directory (for VM installations, it's /var/www/dekiwiki).

Anytime you drop new binaries into bin/ you always have to restart MindTouch.

/etc/init.d/dekiwiki restart

Install the service

Go to your Control Panel, System Settings, Extensions. Click "Add Extension".  Enter a name of your choice, and the SID as below:

• Type: Native
• Name: OpenID Authentication
• SID:
  • 9.12 or higher: sid://contrib.mindtouch.com/deki/2009/11/openid
  • 9.08: sid://mindtouch.com/deki/2009/11/openid

Click "Add Extension", and the service will be added.

Now, locate the "OpenID Authentication" service in the list of extensions.  It should be in state "Running".  Right-click "Running" and copy the link address for the service.

Enabled Trusted Authentication

To be able to create users who have a valid OpenID, you need to enable Trusted Authentication. This is controlled by in the Control Panel, under System Settings, Advanced Config.

In the boxes at the top of the page, enter the configuration key: security/allow-trusted-auth and the configuration value: true, and click "Add key".

You do not need to set security/trusted-auth-provider-id, but if you do, it should be set to 1 (the ID of the local account service).

Configure the front-end

The address of the service needs to be added to LocalSettings.php.  You also need to add an entry to allow the special page to run.  Copy and paste these four lines below, but add your own service location (as mentioned above):

$wgDekiOpenIdService = "http://localhost/@api/deki/services/default/46"; 
$wgDekiSpecialPages[] = 'special_userlogin_openid';
$wgDekiSpecialPages[] = 'special_openidlogin';
$wgDekiSpecialPages[] = 'special_openidcreateuser';

Your service is now configured.  Be sure you have the URL right, especially if you are running a multi-tenant wiki!

Mono trusted roots

If you are not running the VM, but are using Mono (Ubuntu/Red Hat etc) you may need to import the root certificates before you can validate HTTPS endpoints.  Install mono-devel and run this:

# su dekiwiki
$ mozroots --import --sync
$ exit

Examples

To restrict so only OpenID identifers issued by Google are accepted:

^https://www.google.com/account/o8/.*

To restrict so only OpenID identifiers issued by example.org are accepted (e.g. a Google Apps For Your Domain ID):

^http://example.org/.*

You can use any regular expression in this pattern.

If you want to ensure all users log in with a certain provider, then you can edit the Special:OpenIDLogin page and adjust the form so that it will always automatically submit the OP of your choice.

To do: enhance the Special:OpenIDLogin page so it will always submit a hard-coded OP which is specified in the service.

Front end

• Some RPs will require that the initial redirect be via a HTTP POST and others will POST back their response, even if they were triggered themselves with a GET.  This works in neither case, and means we should probably have the return ID always be the C# service directly, or clone the request that the PHP page receives and send it on to the C# service.
• Integrate into the standard Login page with hooks
• Integrate complete into the standard Login process
• Handle redirect URLs (which may probably work automatically when injected into login page)
• There is an empty error message displayed on the Main Page after redirect
• GET:site/settings to ensure Trusted Authentication is enabled
• Set the user's name and e-mail address if it is not set on the account, and it was returned by AX from the OpenID provider.
• Support displaying (and allowing change) of an OpenID, on the UserPreferences change
• Support selecting an existing account to associate with, at the select a username part
• Make a suggestion on the username, based on nickname or e-mail address
• Support autoselecting the username from the e-mail address for forced ID case
• Make the indicator on the username create page an image

Back end

• Google's SSL certificate and Mono don't mix; no Google auth at all.  Seems they have fixed their certificate.
• Support injecting the service into the mindtouch.deki.startup.xml file for a consistent (hard-code-able) service path?
• Enable some sort of session store (it's all done stateless at present)
• Relies on DotNetOpenId 2.x as 3.x uses features not implemented in Mono.
  • Ensure the features from the 3.x branch are backported to the 2.x branch.
• Add features for controlling the OpenID login experience:
  • Hard-coded OpenID for sites who want to only allow users from their own provider (e.g. Google Apps for your domain)
  • RegEx of acceptable or blocked OpenIDs

Release history

• v0.1 (initial release), 6 Dec 2009
• v0.2.0 - v0.2.4, 20 Dec 2009
  • Front end PHP code formatting and warning fixes (thanks Guerric)
  • Service C# fixes (thanks Max): better logging, non-blocking Plug requests, removed some fallthrough cases
  • Now supports communication between RP and OP by POST in both directions (thanks Andrew Arnott)
  • Parses SREG for e-mail address (was only parsing AX previously)
• v0.3.0, 30 Jan 2010
  • Now allows specification of usernames, instead of using the OpenID as the name.
  • IDs are stored on site properties.
• v0.3.5, 1 Feb 2010
  • The 'carles.coll' release.  Added valid-id-pattern configuration option.
• v0.4.0, 10 May 2010
  • Update documentation for 9.12 (thanks to SteveB for checking the code into the new MT contrib repo - may there be a lot more!)