OpenID Relying Party (RP) Contrib Package
Authenticate OpenID users as a Relying Party (RP) or consumer site
Introduction
The OpenID Relying Party (RP) Contrib extension adds
OpenID authentication to TWiki sites. This can be used to allow users to log in to a TWiki site using an account at an OpenID provider (such as Google), and therefore not need a separate username/password for the TWiki site.
This contrib package is an OpenID Relying Party (RP), also known as a OpenID consumer, because the user account information is not kept on the TWiki site, but rather accessed from an OpenID provider (OP) site. When a user requests to log in to a TWiki site via OpenID, the protocol defines interactions between the TWiki site acting as an RP and the user's authenticating site acting as an OP.
OpenID providers can range in scope from a single individual's home server to large ISPs and social networking sites. In fact, millions of users already have OpenID just by having accounts at LiveJournal (where OpenID was invented), AOL, Blogger, Flickr, Google, MySpace, Wordpress and many others. Some dedicated identity-provider sites use OpenID, such as ClaimID, MyOpenID, Vidoop and Verisign. A larger list is available at the
OpenID Foundation - but it's already too big for anyone to know all the OP or RP sites any more. With the OpenID RP Contrib, any TWiki site can be an RP and allow logins from users of some, most or all OPs, depending how you want to configure your TWiki site.
OpenIdRpContrib supports OpenID 1.1 and 2.0. This supersedes the experimental
TWiki:Plugins/OpenIDUserContrib from 2008, which only had basic support for OpenID 1.1.
See the Frequently Asked Questions for OpenIdRpContrib.
Configuration
All the configuration parameters for OpenIdRpContrib are defined in the TWiki.pm or LocalSite.cfg files.
Required configuration:
- $TWiki::cfg{LoginManager} = 'TWiki::LoginManager::OpenID';
- $TWiki::cfg{UserMappingManager} = 'TWiki::Users::OpenIDMapping';
Parameter |
Description |
Default |
$TWiki::cfg{OpenIdRpContrib}{Debug} |
flag: enable debug mode |
0 (false) |
$TWiki::cfg{OpenIdRpContrib}{OpenIDProviders} |
Perl array of name/URL for OpenID providers - see TWiki:Codev/OpenIDProviderList |
none (required) |
$TWiki::cfg{OpenIdRpContrib}{AutoRegisterUser} |
Automatically redirect new users to registration page |
0 (false) |
$TWiki::cfg{OpenIdRpContrib}{AutoCreateUser} |
Automatically create new users |
0 (false) |
$TWiki::cfg{OpenIdRpContrib}{TWikiRegistrationWeb} |
Web to use for registration page - see AutoRegisterUser above |
$TWiki::cfg{SystemWebName} |
$TWiki::cfg{OpenIdRpContrib}{TWikiRegistrationTopic} |
Topic to use for registration page - see AutoRegisterUser above |
TWikiRegistration |
$TWiki::cfg{OpenIdRpContrib}{OPHostWhitelist} |
comma-delimited OpenID Provider host whitelist |
(no whitelist) |
$TWiki::cfg{OpenIdRpContrib}{OPHostBlacklist} |
comma-delimited OpenID Provider host blacklist, ignored if whitelist defined |
(no blacklist) |
$TWiki::cfg{OpenIdRpContrib}{EmailDomWhitelist} |
comma-delimited user e-mail domain whitelist |
(no whitelist) |
$TWiki::cfg{OpenIdRpContrib}{EmailDomBlacklist} |
comma-delimited user e-mail domain blacklist, ignored if whitelist defined |
(no blacklist) |
$TWiki::cfg{OpenIdRpContrib}{ua_class} |
Perl class to use for HTTP user agent |
LWP::UserAgent |
$TWiki::cfg{OpenIdRpContrib}{required_root} |
required root for OpenID return URLs |
$TWiki::cfg{DefaultUrlHost} |
$TWiki::cfg{OpenIdRpContrib}{req_fields1} |
OpenID 1.1 required SREG fields |
fullname,email |
$TWiki::cfg{OpenIdRpContrib}{opt_fields1} |
OpenID 1.1 optional SREG fields |
nickname,country,timezone |
$TWiki::cfg{OpenIdRpContrib}{policy_url} |
OpenID 1.1 optional SREG policy URL |
(disabled) |
$TWiki::cfg{OpenIdRpContrib}{req_fields2} |
OpenID 2.0 required AX fields |
firstname,lastname,email |
$TWiki::cfg{OpenIdRpContrib}{opt_fields2} |
OpenID 2.0 optional AX fields |
nickname,country,timezone |
$TWiki::cfg{OpenIdRpContrib}{UserMenuThresh1} |
threshold for admin console user menu to split to 2 levels |
25 |
$TWiki::cfg{OpenIdRpContrib}{UserMenuThresh2} |
threshold for admin console user menu to split to 3 levels |
500 |
$TWiki::cfg{OpenIdRpContrib}{ForbiddenAccounts} |
accounts not allowed to be accessed by OpenID |
TWikiContributor, TWikiGuest, TWikiRegistrationAgent, UnknownUser |
$TWiki::cfg{OpenIdRpContrib}{NoHtPasswordLogin} |
flag to force user to use OpenID for login if they have logged in with OpenID in the past |
0 |
$TWiki::cfg{OpenIdRpContrib}{NoHtPasswordLoginTitle} |
Title of message shown if user does not login with OpenID |
OpenID login required |
$TWiki::cfg{OpenIdRpContrib}{NoHtPasswordLoginMessage} |
Message shown if user does not login with OpenID |
We recognized your login %LOGINNAME%. However, for users who have logged in with OpenID in the past, only OpenID can be used to login. |
$TWiki::cfg{OpenIdRpContrib}{NoHtPasswordLoginMessage2} |
Message (second paragraph) shown if user does not login with OpenID |
(empty) |
See also:
- $TWiki::cfg{PermittedRedirectHostUrls} - affects hosts which can be used as OPs
Example Localsite.cfg settings
$TWiki::cfg{OpenIdRpContrib}{Debug} = 1;
$TWiki::cfg{OpenIdRpContrib}{OpenIDProviders} = [ # OpenID Provider names and endpoint URLs for creating login buttons
"AOL", "https://openid.aol.com/",
"Google", "https://www.google.com/accounts/o8/id",
"Hyves", "http://www.hyves.nl/",
"MyID.net", "http://myid.net/",
"MyOpenID", "http://myopenid.com/",
"MySpace", "http://api.myspace.com/openid",
"NTT !MyDocomo", "https://i.mydocomo.com/",
"Verisign", "https://pip.verisignlabs.com/",
];
$TWiki::cfg{OpenIdRpContrib}{AutoRegisterUser} = 1; # redirect new users who do not have a user page to registration page
# $TWiki::cfg{OpenIdRpContrib}{TWikiRegistrationWeb} = $TWiki::cfg{SystemWebName}; # web to redirect new users for registration when arriving by OpenID
# $TWiki::cfg{OpenIdRpContrib}{TWikiRegistrationTopic} = "TWikiRegistration"; # page to redirect new users for registration when arriving by OpenID
$TWiki::cfg{OpenIdRpContrib}{AutoCreateUser} = 0; # automatically create user page
# $TWiki::cfg{OpenIdRpContrib}{OPHostWhitelist} = ''; # if set, limits OP hosts
# $TWiki::cfg{OpenIdRpContrib}{OPHostBlacklist} = '.*\.jkg.in'; # ignored if WL defined
# $TWiki::cfg{OpenIdRpContrib}{EmailDomWhitelist} = ''; # if set, limits e-mail domains
# $TWiki::cfg{OpenIdRpContrib}{EmailDomBlacklist} = 'mailinator.com'; # ignored if WL defined
# $TWiki::cfg{OpenIdRpContrib}{NoUserAddId} = 0; # inhibit code that allows users to add more OpenID identities to their accounts
# $TWiki::cfg{OpenIdRpContrib}{NoUserDelId} = 0; # inhibit code that allows users to delete OpenID identities from their accounts
# $TWiki::cfg{OpenIdRpContrib}{ua_class} = "LWP::UserAgent"; # user agent Perl class
# $TWiki::cfg{OpenIdRpContrib}{required_root} = "http://your.server.dom/"; # root of your server
# $TWiki::cfg{OpenIdRpContrib}{nonce_pattern} = "GJvxv_%s"; # nonce pattern to make security exchange less predictable - OK to change but keep the %s in it
# $TWiki::cfg{OpenIdRpContrib}{req_fields1} = 'fullname,email'; # Required fields for OpenID 1.1
# $TWiki::cfg{OpenIdRpContrib}{opt_fields1} = 'nickname,country,timezone'; # Optional fields for OpenID 1.1
# $TWiki::cfg{OpenIdRpContrib}{req_fields2} = 'firstname,lastname,email'; # Required fields for OpenID 2.x
# $TWiki::cfg{OpenIdRpContrib}{opt_fields2} = 'nickname,country,timezone'; # Optional fields for OpenID 2.x
# $TWiki::cfg{OpenIdRpContrib}{policy_url1} = "http://example.dom/privacypolicy.html"; # default policy URL for OpenID 1.1 SREG systems which require it
$TWiki::cfg{OpenIdRpContrib}{UserMenuThresh1} = 25; # threshold in total OpenID users for admin console to begin showing 1 level of menu
$TWiki::cfg{OpenIdRpContrib}{UserMenuThresh2} = 500; # threshold in total OpenID users for admin console to begin showing 2 levels of menus
$TWiki::cfg{OpenIdRpContrib}{NoHtPasswordLogin} = 0; # flag to force user to use OpenID for login if they have logged in with OpenID in the past. Default this to 0.
# $TWiki::cfg{OpenIdRpContrib}{NoHtPasswordLoginTitle} = '!OpenID login required'; # Title of message shown if user does not login with OpenID
# $TWiki::cfg{OpenIdRpContrib}{NoHtPasswordLoginMessage} = 'We recognized your login !%LOGINNAME%. However, for users who have logged in with !OpenID in the past, only !OpenID can be used to login.'; # Message shown if user does not login with OpenID
# $TWiki::cfg{OpenIdRpContrib}{NoHtPasswordLoginMessage2} = ''; # Message (second paragraph) shown if user does not login with OpenID
Additional Reading
Screen shots
Login screen
User console
Admin console
Settings
- One line description:
- Set SHORTDESCRIPTION = Authenticate OpenID users as a Relying Party (RP) or consumer site
There are no other settings on the TWiki topic. All the configuration is done through TWiki.spec and Localsite.cfg. Modifications should only be made to Localsite.cfg.
Installation Instructions
Note: You do not need to install anything on the browser to use this contrib package. The following instructions are for the administrator who installs the package on the server where TWiki is running.
- Download the ZIP file from the Plugin web (see below)
- Unzip
OpenIdRpContrib.zip
in your twiki installation directory. Content: File: | Description: |
data/TWiki/OpenIdRpContrib.txt | |
data/TWiki/OpenIdRpContribFAQ.txt | |
data/TWiki/OpenIDAdminConsole.txt | |
data/TWiki/OpenIDUserConsole.txt | |
lib/TWiki/Contrib/OpenIdRpContrib.pm | |
lib/TWiki/Contrib/OpenIdRpContrib/DBLockPerAccess.pm | |
lib/TWiki/LoginManager/OpenID.pm | |
lib/TWiki/Users/OpenIDMapping.pm | |
pub/TWiki/OpenIdRpContrib/Crystal_Clear_action_edit_add_16.png | |
pub/TWiki/OpenIdRpContrib/Crystal_Clear_action_edit_delete_16.png | |
pub/TWiki/OpenIdRpContrib/Crystal_Clear_action_identity_16.png | |
pub/TWiki/OpenIdRpContrib/Crystal_Clear_action_quick_restart_16.png | |
pub/TWiki/OpenIdRpContrib/icon-globe.ico | |
pub/TWiki/OpenIdRpContrib/icon-globe.png | |
pub/TWiki/OpenIdRpContrib/logo_openid.png | |
pub/TWiki/OpenIdRpContrib/logo_openid_trans.png | |
pub/TWiki/OpenIdRpContrib/openid-login-bg.png | |
pub/TWiki/OpenIdRpContrib/openid-logo-200x61.png | |
pub/TWiki/OpenIdRpContrib/README-CrystalClear.txt | |
pub/TWiki/OpenIdRpContrib/twiki-openid-10-screenshot.png | |
pub/TWiki/OpenIdRpContrib/twiki-openid-11-screenshot.png | |
pub/TWiki/OpenIdRpContrib/twiki-openid-9-screenshot.png | |
templates/openidlogin.tmpl | |
- Test if the installation was successful:
Contrib Info
Related Topics: OpenIdRpContribFAQ,
OpenIDAdminConsole,
OpenIDUserConsole,
TWikiPreferences