[geeklog-devel] OpenID revisited (new patch)

Dirk Haun dirk at haun-online.de
Thu May 17 14:51:42 EDT 2007


I've gone over Choplair's OpenID patch, cleaned it up somewhat and made
it more conforming to Geeklog's way of doing things in some places. The
new version (with instructions) can be found here:

    http://www.geeklog.net/nightly/openid_patch.tar.gz

It works against 1.4.1 and the 1.4.1-1 branch in CVS. Haven't tried it
against the CVS trunk yet, but it's not as invasive as suspected and
could be ported manually, if necessary.

--- snip ---
Changes over Choplair's patch:

- Moved the inlined class from users.php to classes/openidhelper.class.php
- Error messages use a fixed text. For security reasons, we shouldn't display
  any messages coming from a remote server. They are logged in
error.log, though
- typekey.com doesn't send a username. Tried to compensate by guessing which
  portion of the OpenID URL could be the username. If that fails (not for
  typekey.com, but maybe for other services), we abort rather then using an
  empty username.
- Added CUSTOM_uniqueRemoteUsername function to ensure unique usernames
  (attaches a random number to the conflicting username).
- Added OpenID login form to users/loginform.thtml (the PHP code was already
  in place, it was only missing from the actual template file)
- Converted the icons to PNG

To do:

- Security audit. We shouldn't trust the data we get from the OpenID
server ...

USE AT YOUR OWN RISK
--- snip ---

In my opinion, Choplair has earned himself the bounty. Any objections?

bye, Dirk


-- 
http://www.geeklog.net/
http://geeklog.info/




More information about the geeklog-devel mailing list