Services/OpenId

From MozillaWiki
Jump to navigation Jump to search

This page discusses the implementation of an OpenID service.

Requirements

  • Firefox detects forms that offer OpenID and inject a "Sign in using your Firefox Identity" in it so the user can use it to sign in.
  • If it's a new site, Firefox adds it to the authorized sites for the user, by calling our Identity server. The request performs the authentication and returns an OpenID URL
  • The relying party can use this URL to authenticate the user
  • XXX Display authorized sites ?

XXX TBD - mconnor

Server APIs

The server provides a single root API than can be called by a POST. Any other request will issue a 404.

Depending on the openid_mode request parameter value, the server will perform a different process.

  • authorize_site: adds an site to the list of authorized sites
  • check_authentication: checks that a given site is authorized

adding an authorized site

Params:

  • openid_identity: the user Identity email or base32 id
  • password: the user Identity password
  • openid_return_to: the return URL
  • opend_id_trust_root: the root URL, if trusted optional

XXX


check a site

XXX

Implementation details

The server prototype is here: http://bitbucket.org/tarek/server-openid

  • The server is implemented using server-core, for the authentication APIs
  • Users are stored in LDAP for Mozilla, but people can use alternative back-ends
  • Site tokens are stored in MySQL, but people can use alternative back-ends
  • The server uses the same node assignment library than Sync to associate a user to a server
  • A new multi-value field is added in the LDAP User object: service-enabled
    • to enable OpenID for the user, an OpenID value is added
    • The Sync value is used to enable/disable Sync.
    • The account-enabled field is kept for a global de-activation of a user
  • Node assignment can be done on the first OpenID activation if Sync is disabled or not used yet.


Client proto : ??

Impact on Sync

  • If a user tries to create a new account in Firefox Sync via the wizard but already has OpenID activated
    • we tell the user that there's an existing account and redirect him to the regular user authentication screen.
    • we add Sync in service-enabled in LDAP on the first sync
  • If a user deletes his Sync account
    • we remove Sync from service-enabled but don't remove the LDAP user
  • If a user tries to create a new account in the OpenID UI, and already has Sync activated, we warn that an account exists for that e-mail and propose to the user to activate OpenID through the user account management panel
Retrieved from "https://wiki.mozilla.org/index.php?title=Services/OpenId&oldid=267407"