OpenID Relying Party (RP) Contrib Package

Introduction

The OpenID Relying Party (RP) Contrib extension adds OpenID authentication to TWiki sites. This can be used to allow users to log in to a TWiki site using an account at an OpenID provider (such as Google), and therefore not need a separate username/password for the TWiki site.

This contrib package is an OpenID Relying Party (RP), also known as a OpenID consumer, because the user account information is not kept on the TWiki site, but rather accessed from an OpenID provider (OP) site. When a user requests to log in to a TWiki site via OpenID, the protocol defines interactions between the TWiki site acting as an RP and the user's authenticating site acting as an OP.

OpenID providers can range in scope from a single individual's home server to large ISPs and social networking sites. In fact, millions of users already have OpenID just by having accounts at LiveJournal (where OpenID was invented), AOL, Blogger, Flickr, Google, MySpace, Wordpress and many others. Some dedicated identity-provider sites use OpenID, such as ClaimID, MyOpenID, Vidoop and Verisign. A larger list is available at the OpenID Foundation - but it's already too big for anyone to know all the OP or RP sites any more. With the OpenID RP Contrib, any TWiki site can be an RP and allow logins from users of some, most or all OPs, depending how you want to configure your TWiki site.

OpenIdRpContrib supports OpenID 1.1 and 2.0. This supersedes the experimental TWiki:Plugins/OpenIDUserContrib from 2008, which only had basic support for OpenID 1.1.

See the Frequently Asked Questions for OpenIdRpContrib.

Configuration

All the configuration parameters for OpenIdRpContrib are defined in the TWiki.pm or LocalSite.cfg files.

Required configuration:

• $TWiki::cfg{LoginManager} = 'TWiki::LoginManager::OpenID';
• $TWiki::cfg{UserMappingManager} = 'TWiki::Users::OpenIDMapping';

See also:

• $TWiki::cfg{PermittedRedirectHostUrls} - affects hosts which can be used as OPs

Example Localsite.cfg settings

$TWiki::cfg{OpenIdRpContrib}{Debug} = 1;
$TWiki::cfg{OpenIdRpContrib}{OpenIDProviders} = [ # OpenID Provider names and endpoint URLs for creating login buttons
    "AOL",      "https://openid.aol.com/",
    "Google",   "https://www.google.com/accounts/o8/id",
    "Hyves", "http://www.hyves.nl/",
    "MyID.net", "http://myid.net/",
    "MyOpenID", "http://myopenid.com/",
    "MySpace",  "http://api.myspace.com/openid",
    "NTT !MyDocomo", "https://i.mydocomo.com/",
    "Verisign", "https://pip.verisignlabs.com/",
];
$TWiki::cfg{OpenIdRpContrib}{AutoRegisterUser} = 1; # redirect new users who do not have a user page to registration page
# $TWiki::cfg{OpenIdRpContrib}{TWikiRegistrationWeb} = $TWiki::cfg{SystemWebName}; # web to redirect new users for registration when arriving by OpenID
# $TWiki::cfg{OpenIdRpContrib}{TWikiRegistrationTopic} = "TWikiRegistration"; # page to redirect new users for registration when arriving by OpenID
$TWiki::cfg{OpenIdRpContrib}{AutoCreateUser} = 0; # automatically create user page
# $TWiki::cfg{OpenIdRpContrib}{OPHostWhitelist} = ''; # if set, limits OP hosts
# $TWiki::cfg{OpenIdRpContrib}{OPHostBlacklist} = '.*\.jkg.in'; # ignored if WL defined
# $TWiki::cfg{OpenIdRpContrib}{EmailDomWhitelist} = ''; # if set, limits e-mail domains
# $TWiki::cfg{OpenIdRpContrib}{EmailDomBlacklist} = 'mailinator.com'; # ignored if WL defined
# $TWiki::cfg{OpenIdRpContrib}{NoUserAddId} = 0; # inhibit code that allows users to add more OpenID identities to their accounts
# $TWiki::cfg{OpenIdRpContrib}{NoUserDelId} = 0; # inhibit code that allows users to delete OpenID identities from their accounts
# $TWiki::cfg{OpenIdRpContrib}{ua_class} = "LWP::UserAgent"; # user agent Perl class
# $TWiki::cfg{OpenIdRpContrib}{required_root} = "http://your.server.dom/"; # root of your server
# $TWiki::cfg{OpenIdRpContrib}{nonce_pattern} = "GJvxv_%s"; # nonce pattern to make security exchange less predictable - OK to change but keep the %s in it
# $TWiki::cfg{OpenIdRpContrib}{req_fields1} = 'fullname,email'; # Required fields for OpenID 1.1
# $TWiki::cfg{OpenIdRpContrib}{opt_fields1} = 'nickname,country,timezone'; # Optional fields for OpenID 1.1
# $TWiki::cfg{OpenIdRpContrib}{req_fields2} = 'firstname,lastname,email'; # Required fields for OpenID 2.x
# $TWiki::cfg{OpenIdRpContrib}{opt_fields2} = 'nickname,country,timezone'; # Optional fields for OpenID 2.x
# $TWiki::cfg{OpenIdRpContrib}{policy_url1} = "http://example.dom/privacypolicy.html"; # default policy URL for OpenID 1.1 SREG systems which require it
$TWiki::cfg{OpenIdRpContrib}{UserMenuThresh1} = 25; # threshold in total OpenID users for admin console to begin showing 1 level of menu
$TWiki::cfg{OpenIdRpContrib}{UserMenuThresh2} = 500; # threshold in total OpenID users for admin console to begin showing 2 levels of menus

Additional Reading

• Frequently Asked Questions for OpenIdRpContrib
• TWiki:Codev.OpenIDProviderList - list of OpenID provider endpoints
• OpenID Foundation
  • OpenID Authentication 2.0 specification
  • OpenID Attribute Exchange (AX) 1.0 for OpenID 2.0
  • OpenID Authentication 1.1 specification
  • OpenID Simple Registration (SREG) Extension 1.0 for OpenID 1.1
• OpenID article at Wikipedia
• OpenID for non-SuperUsers, tutorial by Sam Ruby
• OpenID explained, tutorial by Omer Bar-or and Benjamin Thomas
• Net::OpenID::Consumer on CPAN, written by Brad Fitzpatrick (original author of OpenID itself), Tatsuhiko Miyagawa and Martin Atkins

Screen shots

Login screen

User console

Admin console

Settings

• One line description:
  • Set SHORTDESCRIPTION = Authenticate OpenID users as a Relying Party (RP) or consumer site

There are no other settings on the TWiki topic. All the configuration is done through TWiki.spec and Localsite.cfg. Modifications should only be made to Localsite.cfg.

Installation Instructions

Note: You do not need to install anything on the browser to use this contrib package. The following instructions are for the administrator who installs the package on the server where TWiki is running.

• Download the ZIP file from the Plugin web (see below)
• Unzip OpenIdRpContrib.zip in your twiki installation directory. Content:

  File:	Description:
  data/TWiki/OpenIdRpContrib.txt
  data/TWiki/OpenIdRpContribFAQ.txt
  data/TWiki/OpenIDAdminConsole.txt
  data/TWiki/OpenIDUserConsole.txt
  lib/TWiki/Contrib/OpenIdRpContrib.pm
  lib/TWiki/Contrib/OpenIdRpContrib/DBLockPerAccess.pm
  lib/TWiki/LoginManager/OpenID.pm
  lib/TWiki/Users/OpenIDMapping.pm
  pub/TWiki/OpenIdRpContrib/Crystal_Clear_action_edit_add_16.png
  pub/TWiki/OpenIdRpContrib/Crystal_Clear_action_edit_delete_16.png
  pub/TWiki/OpenIdRpContrib/Crystal_Clear_action_identity_16.png
  pub/TWiki/OpenIdRpContrib/Crystal_Clear_action_quick_restart_16.png
  pub/TWiki/OpenIdRpContrib/icon-globe.ico
  pub/TWiki/OpenIdRpContrib/icon-globe.png
  pub/TWiki/OpenIdRpContrib/logo_openid.png
  pub/TWiki/OpenIdRpContrib/logo_openid_trans.png
  pub/TWiki/OpenIdRpContrib/openid-login-bg.png
  pub/TWiki/OpenIdRpContrib/openid-logo-200x61.png
  pub/TWiki/OpenIdRpContrib/README-CrystalClear.txt
  pub/TWiki/OpenIdRpContrib/twiki-openid-10-screenshot.png
  pub/TWiki/OpenIdRpContrib/twiki-openid-11-screenshot.png
  pub/TWiki/OpenIdRpContrib/twiki-openid-9-screenshot.png
  templates/openidlogin.tmpl

• Test if the installation was successful:
  • enter samples here

Contrib Info

Related Topics: OpenIdRpContribFAQ, OpenIDAdminConsole, OpenIDUserConsole, TWikiPreferences