[TYPO3-core] State of TYPO3 OpenID

Christian Weiske christian.weiske at netresearch.de
Tue Jul 9 14:32:40 CEST 2013

Hello Dimitry,

> > sources from the wrong understanding of OpenID in the
> > TYPO3 source.
> Sadly, it is a statement without a base or explanation.

Have a look at the OpenID 2.0 protocol overview[1]:

> 1. The end user initiates authentication by presenting a User-Supplied
>    Identifier to the Relying Party via their User-Agent.
> 2. After normalizing the User-Supplied Identifier, the Relying Party
>    performs discovery on it and establishes the OP Endpoint URL[...]
>    It should be noted that the User-Supplied Identifier may be an OP
>    Identifier, which allows selection of a Claimed Identifier at the
>    OP or for the protocol to proceed without a Claimed Identifier if
>    something else useful is being done via an extension.
> [...]
> 6. The OP redirects the end user's User-Agent back to the Relying
>    Party with either an assertion that authentication is approved[2]
> or a message that authentication failed.

The spec clearly defines the protocol flow as first sending the user to
the discovered endpoint. Also, it is explicitely stated that the
identifier given by the end user may be an endpoint URL, and not an
OpenID itself.

The current TYPO3 openid code expects it to be a OpenID URL. It
verifies that a user with the OpenID URL exists in the database before
even discovering the OpenID endpoint.

My patch[3] changes that to first do the OpenID auth and only after
that, when the OpenID identifier (claimed_id) is available, the
database is checked. 

[1] http://openid.net/specs/openid-authentication-2_0.html#anchor2
[3] https://review.typo3.org/21373

Regards/Mit freundlichen Grüßen
Christian Weiske

-= Geeking around in the name of science since 1982 =-

More information about the TYPO3-team-core mailing list