openID登入整合工作進度
SahanaTW PL - Hsiaojan
之前提到要用OpenID進行兩個版本的整合,並且使用php的權限館控,請問目前的進度如何?
請回覆已經完成的部份,如有任何需要協助的地方,也請一併提出
hj
Keith Yang
我這邊還沒開始動手,預想的步驟為:
1. 在資料庫內新增與 php 相容的 user 資料表
2. (研究 php 如何使用 OpenID)
3. 研究 python 這邊要如何使用 OpenID 的函式庫
4. 實作出來
5. 測試
暫時沒什麼問題。也許可以問看看那邊有沒有人在做類似的(OpenID)事。 :)
Keith
chsiao
firefox社群的tim簡 也夠熟,他八月退伍之後會到我這邊工作,他也可以協助
c. hsiao
TsungWei Hu
Keith Yang
Fran Boon
> http://bitbucket.org/bottiger/web2py-openid/
That version is designed to be used with the CAS appliance.
How about trying this one:
http://w2popenid.appspot.com/
Best Wishes,
Fran.
Keith Yang
目前我還沒試出如何把自製的 login 與 openid 結合而 web2py-openid http://bitbucket.org/bottiger/web2py-openid/經過一些小修正後,可以跑得起來我還再參考怎麼套用它的模式
Keith Yang
I didn't see that one. That might be helpful.
I just thought the CAS appliance could be compatible with on-site login. Maybe it's my mistake?
I'll have a look. Thanks a lot!
Kind Regards,
Keith
Fran Boon
> I just thought the CAS appliance could be compatible with on-site login. Maybe it's my mistake?
I think it can be compatible - just that it does require the extra
app...no big deal if that's the way things have to be done...
Looking forward to seeing this working in Sahana :)
Best Wishes,
Fran.
Keith Yang
Auth:
- all existing login methods use the same form (username/email
+password) but OID is different. So Auth must be able to delegate to
the login method form generation and processing
- OpenID does not necessarily return a first_name, last_name, email of
the user so there is not enough info to fill the database table
- when using OpenID some methods like retrieve_password should be
Fran Boon
> I will try to see if the @auth.requires_login() will work. Probably not,
> according to the thread. Then I will try to figure out how to let it work.
If this is the only problem, we could easily replace this function
throughout our code with:
"if 2 in session.s3.roles"
> If it actually doesn't work, I will agree with Massimo, it will be easier to
> implement a
> new class that extends Auth with OpenID.
If you need to do this, then I highly recommend doing this upstream in
Web2Py itself - Massimo will be very supportive of this I'm sure - he
is a keen supporter of Sahana too, so will be especially helpful :)
F
Keith Yang
On Jul 15, 2010, at 2:45 PM, Fran Boon wrote:
> 2010/7/15 Keith Yang <keit...@gmail.com>:
>> I will try to see if the @auth.requires_login() will work. Probably not,
>> according to the thread. Then I will try to figure out how to let it work.
>
> If this is the only problem, we could easily replace this function
> throughout our code with:
> "if 2 in session.s3.roles"
Yeah I just checked it out. It doesn't work after I logged in with OpenID of CASAuth. As Massimo said, in this way
it doesn't take the benefit of Access Control of Auth. So I think it will failed in
other access control.
>
>> If it actually doesn't work, I will agree with Massimo, it will be easier to
>> implement a
>> new class that extends Auth with OpenID.
>
> If you need to do this, then I highly recommend doing this upstream in
> Web2Py itself - Massimo will be very supportive of this I'm sure - he
> is a keen supporter of Sahana too, so will be especially helpful :)
>
I'll try. We'll see how it goes this weekend.
Keith
Fran Boon
>> If this is the only problem, we could easily replace this function
>> throughout our code with:
>> "if 2 in session.s3.roles"
> Yeah I just checked it out. It doesn't work after I logged in with OpenID of CASAuth. As Massimo said, in this way
> it doesn't take the benefit of Access Control of Auth. So I think it will failed in
> other access control.
ok, here's another option using RPX:
http://www.web2pyslices.com/main/slices/take_slice/28
F
Keith Yang
Keith Yang
2010/7/15 Keith Yang <keit...@gmail.com>:
>> If this is the only problem, we could easily replace this function
>> throughout our code with:
>> "if 2 in session.s3.roles"
> Yeah I just checked it out. It doesn't work after I logged in with OpenID of CASAuth. As Massimo said, in this way
> it doesn't take the benefit of Access Control of Auth. So I think it will failed in
> other access control.
Keith Yang
ok, I just saw that the trunk of web2py is intergrating RPX support:
http://bazaar.launchpad.net/~mdipierro/web2py/devel/revision/2071
maybe I should give it a try.
Keith
Keith Yang
I've published the code here: https://code.launchpad.net/~keitheis/web2py/openid
It works like http://py.sahana.tw/eden/default/user/login
It's written according to web2py dev branch head(which supports rpx_account.py login method).
So it requires sahana eden to add two lines (of web2py dev) in modules/s3tools.py (since sahana do rewrite the login method): (around line 395 for now)
if cas_user:
cas_user[passfield] = None
user = self.get_or_create_user(cas_user)
+ elif hasattr(cas,'login_form'):
+ return cas.login_form()
else:
# we need to pass through login again before going on
next = URL(r=request) + '?_next=' + next
redirect(cas.login_url(next))
More detail please refer to the docstring of OpenIDAuth class
http://bazaar.launchpad.net/~keitheis/web2py/openid/annotate/head:/gluon/contrib/login_methods/openid_auth.py
The UI part like 'confirm the open id to associate, show existed open id for the user current logged in' isn't implemented (yet). The 'remove associated open id' needs to be done too.
Cheers,
Keith
On Jul 16, 2010, at 3:17 AM, Fran Boon wrote:
TsungWei Hu
Fran Boon
> I've published the code here: https://code.launchpad.net/~keitheis/web2py/openid
> It works like http://py.sahana.tw/eden/default/user/login
This looks great, thanks :)
> It's written according to web2py dev branch head(which supports rpx_account.py login method).
> So it requires sahana eden to add two lines (of web2py dev) in modules/s3tools.py (since sahana do rewrite the login method): (around line 395 for now)
> if cas_user:
> cas_user[passfield] = None
> user = self.get_or_create_user(cas_user)
> + elif hasattr(cas,'login_form'):
> + return cas.login_form()
> else:
> # we need to pass through login again before going on
> next = URL(r=request) + '?_next=' + next
> redirect(cas.login_url(next))
In Trunk, thanks :)
> More detail please refer to the docstring of OpenIDAuth class
> http://bazaar.launchpad.net/~keitheis/web2py/openid/annotate/head:/gluon/contrib/login_methods/openid_auth.py
Need to remove the 1st argument 'request' from each of the 2 instantiations.
I've done this in Trunk (check 00_settings.py) but still get an error:
Traceback (most recent call last):
File "C:\Bin\web2py\gluon\restricted.py", line 178, in restricted
exec ccode in environment
File "C:/Bin/web2py/applications/eden/models/00_settings.py", line
45, in <module>
openid_login_form = OpenIDAuth(auth)
File "C:\Bin\web2py\gluon\contrib\login_methods\openid_auth.py",
line 93, in __init__
self._define_alt_login_table()
File "C:\Bin\web2py\gluon\contrib\login_methods\openid_auth.py",
line 111, in _define_alt_login_table
Field('user', self.table_user),
File "C:\Bin\web2py\gluon\sql.py", line 1309, in define_table
t._create(migrate=migrate, fake_migrate=fake_migrate)
File "C:\Bin\web2py\gluon\sql.py", line 1647, in _create
elif field.type[:10] == 'reference ':
TypeError: 'NoneType' object is unsubscriptable
This is with Web2Py r2084 (latest that is safe due to introduction of
StorageList() ) & the latest python-openid-2.2.5
Have these files been submitted to Massimo for inclusion upstream in Web2Py yet?
Many thanks,
Fran.
Keith Yang
Keith Yang
I haven't documented well.
The code should be put after auth.define_tables() in 00_settings.py (since it is using reference to table_user).
So it might looks like:
line 62
auth.settings.verify_email_onaccept = lambda form: \
auth.settings.mailer.send(to=deployment_settings.get_mail_approver(),
subject="Sahana Login Approval Pending",
message="Your action is required. Please approve user %s asap: " % form.email +
deployment_settings.get_base_public_url() + "/" + request.application + "/admin/user")
if deployment_settings.get_auth_openid():
# Requires http://pypi.python.org/pypi/python-openid/
# Requires https://code.launchpad.net/~keitheis/web2py/openid
try:
from gluon.contrib.login_methods.openid_auth import OpenIDAuth
openid_login_form = OpenIDAuth(auth)
from gluon.contrib.login_methods.extended_login_form import ExtendedLoginForm
extended_login_form = ExtendedLoginForm(auth, openid_login_form, signals=["oid", "janrain_nonce"])
auth.settings.login_form = extended_login_form
except ImportError:
session.warning = T("Library support not available for OpenID")
It is tested on the r2084 of web2py and eden trunk.
I just learned the usage of session.warning and deployment_setting from your merge. That's sweet.
Keith
On Jul 24, 2010, at 9:16 AM, Fran Boon wrote:
Fran Boon
> The code should be put after auth.define_tables() in 00_settings.py (since it is using reference to table_user).
ok, gotcha - moved it & the login box appears fine now :)
> I just learned the usage of session.warning and deployment_setting from your merge. That's sweet.
:)
ok, what I think we need next is some explanation of the use of OpenID
here - e.g. something like this:
http://openid.net/get-an-openid/start-using-your-openid/
i.e. 'Sign-in with OpenID' instead of just 'OpenID', 'Sign in' instead
of 'Submit Query' & a 'What is OpenID?' link (e.g. a Help button to
the right of the INPUT (like a table.field.comment in normal CRUD
tables))
If I put an email address in (since I'm dumb & assumd OpenID worked
that way then I get a Traceback, which would be good to prevent with a
try/except or maybe use the IS_URL() validator?:
File "C:\Bin\web2py\gluon\restricted.py", line 178, in restricted
exec ccode in environment
File "C:/Bin/web2py/applications/eden/controllers/default.py", line
195, in <module>
File "C:\Bin\web2py\gluon\globals.py", line 96, in <lambda>
self._caller = lambda f: f()
File "C:/Bin/web2py/applications/eden/controllers/default.py", line
58, in index
login_form = auth()
File "C:\Bin\web2py\gluon\tools.py", line 967, in __call__
return self.login()
File "C:\Bin\web2py\applications\eden\modules\s3tools.py", line 395, in login
return cas.login_form()
File "C:\Bin\web2py\gluon\contrib\login_methods\extended_login_form.py",
line 122, in login_form
return self.alt_login_form.login_form()
File "C:\Bin\web2py\gluon\contrib\login_methods\openid_auth.py",
line 132, in login_form
return self._form()
File "C:\Bin\web2py\gluon\contrib\login_methods\openid_auth.py",
line 260, in _form
url = consumerhelper.begin(oid, self.realm, self.return_to_url)
File "C:\Bin\web2py\gluon\contrib\login_methods\openid_auth.py",
line 338, in begin
auth_req = self.consumer.begin(oid)
File "c:\bin\python26\lib\site-packages\openid\consumer\consumer.py",
line 347, in begin
'Error fetching XRDS document: %s' % (why[0],), None)
DiscoveryFailure: Error fetching XRDS document: <urlopen error [Errno
11003] getaddrinfo failed>
If I look up how OpenID works & try with my Google account , then I get:
"This Open ID haven't be registered. Please login to associate with it
or register an account for it."
I then login using my usual account & it gets associated & now I can
login just with the OpenID.
I see this creates an entry in the new db.alt_logins table.
What is the proposed workflow here?
* is OpenID meant for the general Public to be able to login without
having an account created?
* is it for staff to be able to login without needing to remember an
additional password (after the 1st login to associate)
Best Wishes,
Fran.
Keith Yang
2010/7/24 Keith Yang <keit...@gmail.com>:The code should be put after auth.define_tables() in 00_settings.py (since it is using reference to table_user).
ok, gotcha - moved it & the login box appears fine now :)I just learned the usage of session.warning and deployment_setting from your merge. That's sweet.
:)
ok, what I think we need next is some explanation of the use of OpenID
here - e.g. something like this:
http://openid.net/get-an-openid/start-using-your-openid/
i.e. 'Sign-in with OpenID' instead of just 'OpenID', 'Sign in' instead
of 'Submit Query' & a 'What is OpenID?' link (e.g. a Help button to
the right of the INPUT (like a table.field.comment in normal CRUD
tables))
I then login using my usual account & it gets associated & now I can
login just with the OpenID.
I see this creates an entry in the new db.alt_logins table.
What is the proposed workflow here?
* is OpenID meant for the general Public to be able to login without
having an account created?
* is it for staff to be able to login without needing to remember an
additional password (after the 1st login to associate)
Best Wishes,
Fran.
Keith Yang
Finally I almost finish the basic features of OpenID. It's on http://py.sahana.tw now.
In the page of user profile, you can see the list of OpenID. You can add or delete it there.
If that's fine I'm going to close the ticket and walk into next task "Roles & (Module) Permissions table".
Cheers,
Keith
Keith Yang
SahanaTW PL - Hsiaojan
Hsiaojan
SahanaTW PL - Hsiaojan
reduce confusion from users.
"This is only for registered users with added openid in profile."
Two more request as below:
1. " what is open id " should be changed into "More about Open ID"
2. Link of text above is https://myid.tw/profile/help
Keith:
could you please help this?
Hsiaojan
On 7月31日, 下午4時52分, SahanaTW PL - Hsiaojan <hsiaojan....@gmail.com>
wrote:
Keith Yang
On Jul 31, 2010, at 5:23 PM, SahanaTW PL - Hsiaojan wrote:
> Btw, i would prefer to add a notice under the openid colum in order to
> reduce confusion from users.
> "This is only for registered users with added openid in profile."
>
> Two more request as below:
> 1. " what is open id " should be changed into "More about Open ID"
No problem. I second this. Let's wipe out Fran's opinion.
> 2. Link of text above is https://myid.tw/profile/help
I think in theory it should be changeable during translation? And I think I did it like that.
>
> Keith:
> could you please help this?
No problem.
Keith
SahanaTW PL - Hsiaojan
One bug has been found while I'm managign the requirement of access
control.
Reproduce steps:
1. Create two accounts(A&B) with same mail in Yahoo. OpenID should be
set in account A.
2.Login account B ,keep the login seesion and close the browser.
3. Link to py.sahana.tw and login as openID. Openid info sould be set
in py.shanaa.tw
4. Login by openid
The unexpected result as below:
The browser will route to account b which is not the openid info for
the given accout in sahanatw.
Message "OpenID authenticated successfully" will be displayed after
login.
OpenID should be restrickly boundled with a given account in SahanaTW
as well as the account in 3rd party.
Btw, the requirement we have talked in camp has been done, do you have
any plan about this?
Hsiaojan
On 7月31日, 下午5時26分, Keith Yang <keith...@gmail.com> wrote:
> Hi Hsiaojan,
>
> On Jul 31, 2010, at 5:23 PM, SahanaTW PL - Hsiaojan wrote:
>
> > Btw, i would prefer to add a notice under the openid colum in order to
> > reduce confusion from users.
> > "This is only for registered users with added openid in profile."
>
> > Two more request as below:
> > 1. " what is open id " should be changed into "More about Open ID"
>
> No problem. I second this. Let's wipe out Fran's opinion.
>
Keith Yang
Keith Yang
If you saw a OpenID url as short as "yahoo.com" on user profile, you can delete it now.
Thanks for the surprise. Gotta put the fix on trunks.
Keith
SahanaTW PL - Hsiaojan
The OpenID "www.flickr.com/photos/hsiaojan/" has been tied up with
account hsiaojan already.
After login by this OpenID, the screen show two conflict messages as
screen shot.
It's appreciate running a full test to confirm the problems are solved
before pushing the fix.
Hsiaojan
Keith Yang
Hsiaojan
file name is openid
hsiaojan
--
Hsiaojan Liu
Keith Yang
Hsiaojan
Marr:
are you available to try about this?
Hsiaojan
--
Hsiaojan Liu
TsungWei Hu
Keith Yang
Keith Yang
SahanaTW PL - Hsiaojan
Keith to fix.
You won't find the bug if only one yahoo accounts(or other openid
provider). Please do test under TWO accounts and one is open and not
bundled with any SahanaTW account.
Hsiaojan
On 8月17日, 下午1時02分, Keith Yang <keith...@gmail.com> wrote:
> I triedwww.flickr.com/photos/keitheis/
>
> and it works aswww.flickr.com/photos/keitheis.
>
> I thinkwww.flickr.com/photos/.../is the old record before fix of
>
> That's the fix for now.
>
> Keith
>
> > Thanks. I have saw that two records in database:
>
> >www.flickr.com/photos/hsiaojan/
> >www.flickr.com/photos/hsiaojan
>
> > I think this could be fix. Tonight.
>
> > Keith
>
> >> I am able to login by email and password.
>
> >> Marr:
> >> are you available to try about this?
>
> >> Hsiaojan
>
>
> >>> I DID try the flickr login withwww.flickr.com/photos/keitheisand it
>
> >>> In your screen shot can you login with the account you want to associate
> >>> again?
>
> >>> Keith
>
> >>>http://groups.google.com.tw/group/sahanatwpy/files
>
> >>>> file name is openid
>
> >>>> hsiaojan
>
> >>>> could you attach the screenshot?
>