Hello OpenID: A New Drupal Tool

Blog

Hello OpenID: A New Drupal Tool

Drupal 5 OpenID Module Lets You Cut Down on Passwords Now

Dec 14, 2007 by Jose Reyero

I think most of us have at least heard of OpenID. Yeah, we know that it's cool, we know that it's built into Drupal 6, we know that it will be the next big thing, etc, etc. We know all that. And many of us have heard too that OpenID has new final specs for v2.0 that Drupal 6 already supports (James Walker writes about it if you missed it).

But really, when it comes to OpenID, I don't know what's more surprising: how well it works or the very small number of Drupal sites that have enabled it so far. That’s the case even though there’s already this nice Drupal 5 OpenID module that makes it quick and easy to deploy OpenID in a website.

It may take until Drupal 6 is out for us to see widespread adoption of OpenID, since it will be included in Drupal core. But I don't know why we can't start enjoying it now. The Drupal 5 module works fine and setting it up is really no work at all. And we do all face the same problem of working with lots of websites and having the resulting huge list of login/passwords to remember.

Here’s how it works:

For Users1. Get your OpenID. There are several free options.2. Use your OpenID. (Why not in every Drupal site out there?)

For Site Administrators1. Grab the Drupal 5 OpenID module2. Enable it on your website.

Once it’s enabled, the login looks like this:

And yes, it really works! It’s easy for administrators and users. Users will be able to still use their normal Drupal login and password, but guess what...they won't want anymore! :-)

Use Case and Bonus Tool: Using OpenID for a Development Team

Here at Development Seed we had the issue of handling many website accounts for the many websites we’re building, in addition to the testing and development copies of them all. Before we had the options of using the same passwords all around or sending passwords back and forth constantly, neither of which are good security practices. So we were looking for something better.

Here's where OpenID came to the rescue. What if I could add all my team member’s OpenIDs to the administrator account of all the sites we set up? Well, it means no more sharing passwords and that each developer can login to any site with his OpenID. Secure, reliable, simple! Cool, isn't it?

The current OpenID module already supports adding a number of OpenIDs to any account. The only issue with adding other people's IDs is that everyone has to authenticate his own OpenID. To get around that we've coded a small tool that lets you add a bulk list of OpenIDs to any account, skipping authentication for each one of them.

So say I want to set up my testing site and allow Jeff, Alex, and Ian to login to the site at anytime with full administrative rights. It's as simple as this:

Here’s the ready to use module.

Enjoy!

Open ID Module for Drupal is

Jul 14, 2008 by Thomas

Open ID Module for Drupal is a great job.
I've found info on some weak points:
"Certain input passed from the OpenID provider is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site."

Open ID Module for Drupal is

Jun 20, 2008 by Robert

Open ID Module for Drupal is an excellent job.
It's really great that OpenID module supports adding OpenIDs to any account.

That's a great job. It would

Mar 31, 2008 by Robert Short

That's a great job. It would be great if this functionality was integrated into project module on Drupal.org. This is a very nice site.

A Valet Key for Your Identity

Dec 26, 2007 by Jeff_SD

I'm surprised Open-ID didn't think of this and that the two don't collaborate (or maybe they are). BTW it's a nuisance to deal with the captcha for preview and then again for submitting. Have you considered Akismet?

...Jeff
--------------------------------
A Valet Key for Your Identity
A new standard aims to help users pass information between Web services without sharing full access to their identities.
By Erica Naone - Technology Review

As online services that make use of personal data multiply, it's becoming more common for users to need to pass data from one service to another. This often requires users to hand over usernames and passwords, in spite of the obvious security risks involved. A new open-source project called OAuth, released earlier this month, is intended to solve this problem by allowing users to give services a valet key to their identities, rather than full access.

Chris Messina, who helped organize the production of OAuth, says that the system will "give people control over the way that they broker their data through Web services, and also help them be a little more secure." The system allows a user to obtain a token through one site and pass it to another. The token then dictates what the second site can access, and in what way. To achieve this, the protocol has to define standard ways for sites to identify data and specify what they're going to do with it. To work, OAuth requires both sites to have implemented the protocol. The user does not have to be aware of it.

Along with Messina, Blaine Cook of Twitter and Larry Halff of Ma.gnolia worked to start the project.

Handing over usernames and passwords is an increasingly common feature of social-networking sites, including well-known sites such as Facebook and LinkedIn. At the initial sign-up phase, a site asks the user to enter the credentials for her e-mail accounts so that it can search for people she might know. It's also typical for sites to provide an opportunity for users to invite their existing contacts to join the network as well. But Messina says that there's another, unintended result of the practice: "It's training the user to pass around usernames and passwords like confetti," he says.

Eran Hammer-Lahav, who served as the editor for the core OAuth specification, says that a cautionary tale came earlier this year when a social-networking site called Quechup used its access to e-mail accounts through this feature to send invitations to every single person in a new user's contacts list. Even worse, to many people, the e-mails appeared to originate from the user, rather than from the company. Hammer-Lahav says that the warning is directed less at a particular site than at a system that needs improvement. "The core is really about what we call the love triangle," he says. The love triangle, he explains, is the relationship between the user and the two Web services that need to share data.

He adds that it's now becoming common for financial-management sites such as Mint to ask for passwords in order to aggregate information for users. In addition to posing a security risk, Hammer-Lahav says, it's actually not the best way for sites to share information. The aggregator sites often have to scrape financial information off banking pages by training their software to seek certain clues in the page source that signal key pieces of data. The problem, he says, is that if the bank redesigns the look of a page, those clues might change, rendering the aggregator unable to read the information. A system such as OAuth, Hammer-Lahav says, allows the sites to share information directly.

The idea of this type of system is not new, says Terrell Russell, cofounder of the online identity-management system ClaimID. Google, for example, has an existing proprietary protocol that has capabilities similar to those of OAuth. However, Russell says, the lack of a single standard hampers developers and encourages them to ask for usernames and passwords. Russell says that solving the problem of allowing Web services to safely share data will only become more important as more data migrates to the Web.

OAuth is being implemented by Twitter and Ma.gnolia, and portions of the standard appear in Google's OpenSocial platform. Although the initial release is a core protocol containing the basics of exchanging tokens between sites, Hammer-Lahav says that later releases will give users finer control over how they grant access to their data.

They do collaborate

Jan 3, 2008 by Jose A Reyero

I'm surprised Open-ID didn't think of this and that the two don't collaborate (or maybe they are)
OpenID does its job and it doesn't make too much sense to allow users adding OpenID's without authentication. This module we propose is just an extension for development teams and it works together with OpenID module

Open Id

Dec 26, 2007 by Poster Fun

Nice to see the Open ID Module for Drupal..Even Google has introduced the Open id stuff in its beta blogger

A pity that Drupal 5 OpenID

Mar 11, 2008 by Seed Friend

A pity that Drupal 5 OpenID implementation doesn't work with draft Blogger. =/

Jose Reyero

Senior Developer

Jose is a lead developer of multilingual solutions in Drupal. He built the i18n module that greatly improved multilingual functionality in Drupal 5 and 6 and is currently working on improvements for Drupal 7. He also leads the development of the Messaging and Notifications frameworks in Drupal, which are used to manage subscriptions and have become very powerful features within Drupal.

In addition to building powerful parts of Drupal, Jose is an active member of the community, contributing to many other modules and maintaining the Drupal Español website. He’s also an expert in designing the architecture and workflow of multilingual websites and creating smarter internal communications solutions for our partner organizations.

Jose lives in León, Spain.

Development Seed

Blog