This page discusses the implementation of an OpenID service.

Requirements

• Firefox detects forms that offer OpenID and inject a "Sign in using your Firefox Identity" in it so the user can use it to sign in.

• If it's a new site, Firefox adds it to the authorized sites for the user, by calling our Identity server. The request performs the authentication and returns an OpenID URL

• The relying party can use this URL to authenticate the user

• XXX Display authorized sites ?

XXX TBD - mconnor

Server APIs

The server implements OpenID 2.0

XXX lists all APIs here, and usage scenarios

Implementation details

• The server is implemented using python-openid and server-core
• Users are stored in LDAP
• Site tokens are stored in MySQL
• The server uses the same node assignment library than Sync to associate a user to a server
• A new multi-value field is added in the LDAP User object: service-enabled
  • to enable OpenID for the user, an OpenID value is added
  • The Sync value is used to enable/disable Sync.
  • The account-enabled field is kept for a global de-activation of a user
• Node assignment can be done on the first OpenID activation if Sync is disabled or not used yet.

Impact on Sync

• If a user tries to create a new account in Firefox Sync via the wizard but already has OpenID activated
  • we tell the user that there's an existing account and redirect him to the regular user authentication screen.
  • we add Sync in service-enabled in LDAP on the first sync
• If a user deletes his Sync account
  • we remove Sync from service-enabled but don't remove the LDAP user
• If a user tries to create a new account in the OpenID UI, and already has Sync activated, we warn that an account exists for that e-mail and propose to the user to activate OpenID through the user account management panel