== Status ==
Version 0.1.1 Jacky Alcine has been submitted to the BZ tracker: * written a [https://bugzillagithub.mozilla.org/attachment.cgi?id=188469 Patch against BZ/CVS from 2005-07-06 (2.19.3+)]* [https://bugzilla.mozilla.org/attachment.cgi?id=188010 New Bugzilla/Auth/Verify/OpenID.pm module]* [https:com/jalcine/bugzilla.mozilla.org/show_bug.cgi?id=294608#c5 "Release Notes"] The patch no longer cleanly applies to the current codebase. defparams.pl apparently no longer exists. The submitter of this patch (Rob Lanphier) is willing to hand this off, due to the likely delay before getting to this project. [https://bugzilla.mozilla.org/show_bug.cgi?id=294608 Add a comment to the current bug to volunteer to take over]. == Open Issues == * Where should the OpenID URI be stored?** Currently using profiles/extern_id. Long term should probably be its own field, and longer than 64 bytes.* Should user log in using email or by OpenID?** Currently still using email. Might work on using in conjunction with [https://bugzilla.mozilla.org/show_bug.cgi?id=218917 Myk Melez's patch for arbitrary BZ names], but want to get something working first.* Should email verification process still occur?** There doesn't appear to be any way around it, as there's no way to query an OpenID server for an email address. That may mean that [http://lid.netmesh.org/ LID] or FOAF is also needed to make this work in a way that doesn't require an email verification ping-pong. (Take a look at [http://openid.net/specs/openid-simple-registration-extension-1_0.html OpenID Simple Registration Extension], it will do what you want and is supported by many IdPs). Current version must be used in tandem with DB.* Should a confirm hash style verification (ala Mailman or GForge) be created, as opposed to mailing a password to the user** Awaiting fix for [https://bugzilla.mozilla.org/show_bug.cgi?id=87795 Bugzilla Bug 87795 Creating an account should send token and wait for confirmation (prevent user account abuse)]* How should createaccount.cgi modification be done?** It's tempting to restructure this code, creating a new Bugzilla->create_account($cgi) method, and moving the current code into Bugzilla/Auth/Login/WWW/CGI.pm . Current version just relies on existing code, pretty much unmodified, so you must sign up for an account using old-fashioned means, and then associate an OpenID in the prefs.* OpenID::Consumer library v0.11 (perl) fails taint check** [http://lists.danga.com/pipermail/yadis/2005-June/thread.html#951 Taint safety discussion plugin available on OpenID dev list]** Take a look at the [http://www.openidenabled.com/openid/libraries/perl/ Perl library from JanRainGitHub], it is more current and will evolve to replace Brad's original library as Authentication 2.0 gels* Cookie expiration** Current implementation is almost certainly wrong (indefinite length cookies).
== Other Links ==
* [http://comments.gmane.org/gmane.comp.bug-tracking.bugzilla.devel/4695 2005-06-27 - Initial exploratory discussion on developers@bugzilla.org]
* [https://bugzilla.mozilla.org/show_bug.cgi?id=294608 Bugzilla ticket for Bug 294608 - "Support OpenID supportas a an account source and login verification method"]
* [http://comments.gmane.org/gmane.comp.bug-tracking.bugzilla.devel/4706 2005-07-01 - Design discussion on developers@bugzilla.org]
=== OpenID Servers ===
* https://pip.verisignlabs.com/
* http://www.myopenid.com/
* https://www.startssl.com/ (SSL Client Certificates Authentication)
[[category:Bugzilla|OpenID Auth Plugin]]
