Details

      Description

      An implementation of AuthenticationHandler for authenticating users against OpenID providers. Includes basic UI for login & logout.

      1. openidauth.zip
        29 kB
        Rory Douglas
      2. openidauth.patch
        14 kB
        Rory Douglas

        Activity

        Hide
        Rory Douglas added a comment -

        Project was created under the extensions directory. It requires the OpenID4Java libraries - the maven repo for that is in the POM.

        Show
        Rory Douglas added a comment - Project was created under the extensions directory. It requires the OpenID4Java libraries - the maven repo for that is in the POM.
        Hide
        Rory Douglas added a comment -

        Updated to remove "overwrite=true" from initial content instruction

        Show
        Rory Douglas added a comment - Updated to remove "overwrite=true" from initial content instruction
        Hide
        Felix Meschberger added a comment -

        Thanks for supplying this patch. I would really like to integrate this with Sling.

        Before I can apply it though, there are some missing pieces to be resolved.

        • Some licensing stuff is missing: The Java and JSP scripts need the ASF headers, the NOTICE must list all third party providers (e.g. IBM of icu4j) and the must be license files for the third party non-ASL2 libraries included in the bundle.
        • It looks like the Eclipse Higgins libraries are not available from any repository. Are they really required ?
        • I have no deeper knowledge about the openid4java project, but the dependency list really scares me. Is it required to include spring-jdbc and icu4j and all this XML stuff ? Just building the package weighs in at 8.5MB, which looks like a bit heavy to just do authentication ... I may be the only one here, though
        • Do I understand it correctly, that your module contains an OpenID consumer to be used as a Sling AuthenticationHandler and an OpenID provider (TestOpenIDServer) ?

        Wouldn't it make more sense to split the functionalities ? To have an openid-consumer module and an openid-provider module ? I think both make perfect sense. But I think, the consumer module should be lean and mean while the provider module may be heavy-weight.

        Have you looked into http://code.google.com/p/dyuproject/ which seems to have a very light-weight consumer (relying party).

        Show
        Felix Meschberger added a comment - Thanks for supplying this patch. I would really like to integrate this with Sling. Before I can apply it though, there are some missing pieces to be resolved. Some licensing stuff is missing: The Java and JSP scripts need the ASF headers, the NOTICE must list all third party providers (e.g. IBM of icu4j) and the must be license files for the third party non-ASL2 libraries included in the bundle. It looks like the Eclipse Higgins libraries are not available from any repository. Are they really required ? I have no deeper knowledge about the openid4java project, but the dependency list really scares me. Is it required to include spring-jdbc and icu4j and all this XML stuff ? Just building the package weighs in at 8.5MB, which looks like a bit heavy to just do authentication ... I may be the only one here, though Do I understand it correctly, that your module contains an OpenID consumer to be used as a Sling AuthenticationHandler and an OpenID provider (TestOpenIDServer) ? Wouldn't it make more sense to split the functionalities ? To have an openid-consumer module and an openid-provider module ? I think both make perfect sense. But I think, the consumer module should be lean and mean while the provider module may be heavy-weight. Have you looked into http://code.google.com/p/dyuproject/ which seems to have a very light-weight consumer (relying party).
        Hide
        Rory Douglas added a comment -

        I absolutely agree about all the openid4java dependencies, a real pain. Unfortunately, icu4j and xalan were required & they add 6+MB. Higgins is only required for InfoCard, which is not being used (I included all the deps in the pom for clariy). Only the required deps (causing ClassNotFoundExceptions) were embedded.

        However, I wish I'd seen dyuproject earlier. It looks like it has all we need, and since the OpenID interaction in the handler is confined to 2 methods, I think I can easily rip out openid4java & replace with dyu - I'll give it a try.

        The OpenID provider was included because I figured eventually I might have to build integration/unit tests for the handler that could be run as part of the build, non-interactively & without access to an online provider or real OpenID credentials. It would definitely make sense to split that out, at least into a testing module. Given all the library dependencies, it may not be worth it though

        I'll post an updated handler shortly (with all the license bits).

        Show
        Rory Douglas added a comment - I absolutely agree about all the openid4java dependencies, a real pain. Unfortunately, icu4j and xalan were required & they add 6+MB. Higgins is only required for InfoCard, which is not being used (I included all the deps in the pom for clariy). Only the required deps (causing ClassNotFoundExceptions) were embedded. However, I wish I'd seen dyuproject earlier. It looks like it has all we need, and since the OpenID interaction in the handler is confined to 2 methods, I think I can easily rip out openid4java & replace with dyu - I'll give it a try. The OpenID provider was included because I figured eventually I might have to build integration/unit tests for the handler that could be run as part of the build, non-interactively & without access to an online provider or real OpenID credentials. It would definitely make sense to split that out, at least into a testing module. Given all the library dependencies, it may not be worth it though I'll post an updated handler shortly (with all the license bits).
        Hide
        Felix Meschberger added a comment -

        Cool stuff, really ! I am eagerly looking forward to it.

        Re OpenID Provider: I assume for testing purposes a stupid provider might do it, right ? (this would of course go to the src/test tree.

        But a real provider would be cool nevertheless, but probably out of scope right now.

        Show
        Felix Meschberger added a comment - Cool stuff, really ! I am eagerly looking forward to it. Re OpenID Provider: I assume for testing purposes a stupid provider might do it, right ? (this would of course go to the src/test tree. But a real provider would be cool nevertheless, but probably out of scope right now.
        Hide
        Rory Douglas added a comment -

        I think a stupid provider would be fine, but it would need to handle the OpenID protocol details correctly (message signing, nonce generation), since the client verifies the response message. I didn't take the time to figure out if that was something easy to fake without using existing libraries.

        Show
        Rory Douglas added a comment - I think a stupid provider would be fine, but it would need to handle the OpenID protocol details correctly (message signing, nonce generation), since the client verifies the response message. I didn't take the time to figure out if that was something easy to fake without using existing libraries.
        Hide
        Rory Douglas added a comment -

        Updated OpenID handler now uses dyuproject libraries

        Show
        Rory Douglas added a comment - Updated OpenID handler now uses dyuproject libraries
        Hide
        Felix Meschberger added a comment -

        Thanks Rory for providing this code, I have applied in Rev. 739850.

        Show
        Felix Meschberger added a comment - Thanks Rory for providing this code, I have applied in Rev. 739850.
        Hide
        Rory Douglas added a comment -

        Includes fix to detect when a successfully authenticated OpenID user fails repository-level login. Also adds LoginModulePlugin functionality described in SLING-852.

        Show
        Rory Douglas added a comment - Includes fix to detect when a successfully authenticated OpenID user fails repository-level login. Also adds LoginModulePlugin functionality described in SLING-852 .
        Hide
        Felix Meschberger added a comment -

        Thanks for the patches. I have applied them in Rev. 742157.

        Show
        Felix Meschberger added a comment - Thanks for the patches. I have applied them in Rev. 742157.
        Hide
        Felix Meschberger added a comment -

        With this patch applied, I think this issue is complete.

        Please close, if this works as you expect. Thanks.

        Show
        Felix Meschberger added a comment - With this patch applied, I think this issue is complete. Please close, if this works as you expect. Thanks.

          People

          • Assignee:
            Felix Meschberger
            Reporter:
            Rory Douglas
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development