Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 3.1
    • Labels:
      None

      Description

      Now that OpenID2.0 is launched, we should look seriously into enabling that as a way to manage your JSPWiki identity.

      http://openid.net/2007/12/05/openid-2_0-final-ly/

      I don't want to put any specific version on this item - it'll come when someone is motivated enough to make it work . But it's a good idea to keep here so that we don't forget about it.

        Activity

        Janne Jalkanen created issue -
        Hide
        Ville Säävuori added a comment -

        Janne,

        Maybe a bounty of $5000 will help with the motivation?-) (See: http://openid.net/foundation/bounty/ )

        I wanted to register here just to comment that even thinking about implementing this is great! Anyway, all the best for the new year.

        • VS
        Show
        Ville Säävuori added a comment - Janne, Maybe a bounty of $5000 will help with the motivation?-) (See: http://openid.net/foundation/bounty/ ) I wanted to register here just to comment that even thinking about implementing this is great! Anyway, all the best for the new year. VS
        Hide
        Janne Jalkanen added a comment -

        Thanks for the tip . I don't think we can hit the download amounts though.

        Show
        Janne Jalkanen added a comment - Thanks for the tip . I don't think we can hit the download amounts though.
        Hide
        Harry Metske added a comment -

        I recently started a small study on OpenID actually, it's interesting and promising stuff. I started collecting some information sources on my wiki (http://www.computerhok.nl/JSPWiki/Wiki.jsp?page=OpenID), this includes the OpenID from Rafeeq Ur Rehman, and also a recipe for OpenID enabling your website by Joseph Smarr at Plaxo.

        I'll keep studying, but implementing this seems no sinecure to me, it requires quite some integration with the existing authentication stuff in JSPWiki, I'm sure lots of others are more capable of taking this requirement

        Show
        Harry Metske added a comment - I recently started a small study on OpenID actually, it's interesting and promising stuff. I started collecting some information sources on my wiki ( http://www.computerhok.nl/JSPWiki/Wiki.jsp?page=OpenID ), this includes the OpenID from Rafeeq Ur Rehman, and also a recipe for OpenID enabling your website by Joseph Smarr at Plaxo. I'll keep studying, but implementing this seems no sinecure to me, it requires quite some integration with the existing authentication stuff in JSPWiki, I'm sure lots of others are more capable of taking this requirement
        Hide
        Janne Jalkanen added a comment -

        I heard that there's a Mediawiki implementation, which could be used as a model. They are just using the OpenID as the credentials, but they still require registration (so that you can get the email & full name and other stuff like that).

        Show
        Janne Jalkanen added a comment - I heard that there's a Mediawiki implementation, which could be used as a model. They are just using the OpenID as the credentials, but they still require registration (so that you can get the email & full name and other stuff like that).
        Hide
        Janne Jalkanen added a comment -

        Roadmapping to 3.1, but might appear earlier depending on motivation

        Show
        Janne Jalkanen added a comment - Roadmapping to 3.1, but might appear earlier depending on motivation
        Janne Jalkanen made changes -
        Field Original Value New Value
        Fix Version/s 3.1 [ 12313282 ]
        Hide
        Tilman Bender added a comment -

        Just to make sure: Wa are talking about OpenID Authentication 2.0 right?

        If so, Harry, I think your research on who decides what OpenID Provider (OP) to use is not fully correct.
        As far as I can see the decision which provider to use is made by the relying party (RP), that would be JSPWiki in our case.

        Concering the questions whether you can define multiple OPs and an order:
        AFAIR you can. But only when using XRDS-Based discovery (not HTML-Based discovery), because in a XRDS-Document you can define multiple services and their priority.

        "Can the consumer control which OP's to allow and which ones not."
        I think this is what they call whitelisting. It is not really recommended because it would be a bit of stopper for OpenIDs decentralization.

        I must admit though, that the last question is also one of the parts about OpenID, which I don't fully understand by now.

        You can find my bookmarks on it here: http://delicious.com/FuzzyFrog/openid

        Show
        Tilman Bender added a comment - Just to make sure: Wa are talking about OpenID Authentication 2.0 right? If so, Harry, I think your research on who decides what OpenID Provider (OP) to use is not fully correct. As far as I can see the decision which provider to use is made by the relying party (RP), that would be JSPWiki in our case. Concering the questions whether you can define multiple OPs and an order: AFAIR you can. But only when using XRDS-Based discovery (not HTML-Based discovery), because in a XRDS-Document you can define multiple services and their priority. "Can the consumer control which OP's to allow and which ones not." I think this is what they call whitelisting. It is not really recommended because it would be a bit of stopper for OpenIDs decentralization. I must admit though, that the last question is also one of the parts about OpenID, which I don't fully understand by now. You can find my bookmarks on it here: http://delicious.com/FuzzyFrog/openid
        Hide
        Andrew Jaquith added a comment -

        OpenID support is important – this is something I would like to take the lead on for 3.1.

        One thing we will not do is allow users to specify arbitrary identity providers (OpenID OPs) – at least by default. That is dangerous because of the lack of assurance over authentication. Instead, I think it would be good to simply allow the administrator to configure what OPs they regard as trustworthy.

        For admins who do want to allow arbitrary OPs, we should allow this as an override option.

        Show
        Andrew Jaquith added a comment - OpenID support is important – this is something I would like to take the lead on for 3.1. One thing we will not do is allow users to specify arbitrary identity providers (OpenID OPs) – at least by default. That is dangerous because of the lack of assurance over authentication. Instead, I think it would be good to simply allow the administrator to configure what OPs they regard as trustworthy. For admins who do want to allow arbitrary OPs, we should allow this as an override option.
        Hide
        Tilman Bender added a comment -

        Andrew,

        I am not sure if I got you right. What do you mean by the "lack of assurance over authentication"? Somebody setting up a rogue OP to create fake profiles for other people?
        Could you please elaborate on the specific scenario you have in mind.

        Couldn't the scenario look like this:

        1. the wiki is non public
        2. If a user with a new OpenID wants to register, they can do so (probably using sreg, if supported by their OP).
        3. If the OP is on the whitelist, all is fine. If not so, registration needs to be confirmed by the wiki admin.

        I know this isn't really the "everybody can edit" philosophy of a wiki, but as we are talking about the need of authentication here, this should
        not be an issue anyway.

        Show
        Tilman Bender added a comment - Andrew, I am not sure if I got you right. What do you mean by the "lack of assurance over authentication"? Somebody setting up a rogue OP to create fake profiles for other people? Could you please elaborate on the specific scenario you have in mind. Couldn't the scenario look like this: 1. the wiki is non public 2. If a user with a new OpenID wants to register, they can do so (probably using sreg, if supported by their OP). 3. If the OP is on the whitelist, all is fine. If not so, registration needs to be confirmed by the wiki admin. I know this isn't really the "everybody can edit" philosophy of a wiki, but as we are talking about the need of authentication here, this should not be an issue anyway.
        Hide
        Andrew Jaquith added a comment -

        What I meant is that when you accept "any" OpenID assertion, you don't really know who is authenticated unless you know something about the OP. The example you gave (rogue OP) is one example of how OpenID could fail – there are others, though.

        My current thinking is that we should have a configurable option, probably as JAAS configuration options, that defines what OPs we accept OpenID assertions from. We would use SREG to obtain the information needed to create an account In JSPWiki.

        By default, the list of acceptable OPs would be a short list: Gmail, Yahoo!, VeriSign and probably about a half-dozen others. But if the admin wanted, they could configure the system to accept any OP. This would be the "other" OP option you describe in step 3.

        As far as registration confirmation goes – that is a separate issue. You can turn on workflows for confirming registrations today, for all registrations. I think this will work the same way in 3.0 – approvals are either on (for every OP) or off.

        Show
        Andrew Jaquith added a comment - What I meant is that when you accept "any" OpenID assertion, you don't really know who is authenticated unless you know something about the OP. The example you gave (rogue OP) is one example of how OpenID could fail – there are others, though. My current thinking is that we should have a configurable option, probably as JAAS configuration options, that defines what OPs we accept OpenID assertions from. We would use SREG to obtain the information needed to create an account In JSPWiki. By default, the list of acceptable OPs would be a short list: Gmail, Yahoo!, VeriSign and probably about a half-dozen others. But if the admin wanted, they could configure the system to accept any OP. This would be the "other" OP option you describe in step 3. As far as registration confirmation goes – that is a separate issue. You can turn on workflows for confirming registrations today, for all registrations. I think this will work the same way in 3.0 – approvals are either on (for every OP) or off.
        Hide
        Christian Helmbold added a comment -

        OpenID and other auth systems could be supported by CAS. See https://issues.apache.org/jira/browse/JSPWIKI-604

        Show
        Christian Helmbold added a comment - OpenID and other auth systems could be supported by CAS. See https://issues.apache.org/jira/browse/JSPWIKI-604

          People

          • Assignee:
            Unassigned
            Reporter:
            Janne Jalkanen
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:

              Development