[TYPO3-core] State of TYPO3 OpenID

Christian Weiske cweiske at cweiske.de
Tue Jul 9 22:29:33 CEST 2013


Hello Dmitry,


> > The current TYPO3 openid code expects it to be a OpenID URL. It
> > verifies that a user with the OpenID URL exists in the database
> > before even discovering the OpenID endpoint.
> 
> Not correct. The endpoint is handled by the library we use in the 
> extension. It makes all necessary data exchanges, requests, etc. At
> least it was so when I initially wrote the extension.

Have a look at OpenidService.php line221 [1]:
> // We may need to send a request to the OpenID server.
> // First, check if the supplied login name equals with the configured
> OpenID.
> if ($this->openIDIdentifier === $userRecord['tx_openid_openid']) {

This code checks if the sanitized OpenID identifier given by the user
in the login form equals the OpenID in his database record. This means
that it is not possible to login with an endpoint URL.

And yes, I move the code up in the file - this has the effect that the
checks are done later, after the OpenID login process happened.

[1]
https://git.typo3.org/Packages/TYPO3.CMS.git/blob/HEAD:/typo3/sysext/openid/Classes/OpenidService.php#l221


More information about the TYPO3-team-core mailing list