Status of OpenID Consumer in Bugzilla

Rob Lanphier robla at robla.net
Fri Jul 1 20:40:03 UTC 2005


On Fri, 2005-07-01 at 11:15 -0300, Christian Robottom Reis wrote:
> On Thu, Jun 30, 2005 at 08:37:36PM -0700, Rob Lanphier wrote:
> > I'm trying to decide how many shortcuts I take to get this to work.  In
> > particular, here's the list of questions I have:
> > *  Where should the OpenID URI be stored?
> 
> Good question -- I assume the only reasonable place is in the profiles
> table.

I'm currently using profiles.extern_id, which is only 64 characters
long.  Max replied in bug 294608 (the openid bug) that that should be
the permahome for this, expanding the size if necessary.  It would mean,
however, that any two auth mechanisms that use extern_id couldn't be
used together.

> > *  Should user log in using email or by OpenID?
> 
> Allowing either might be nice.

I'm heading in that direction now.  My first iteration on this is going
to require that both DB and OpenID verify are turned on.  OpenID login
support is going to be a superset of plain CGI login.

So, basically, you'll create an account using the standard
username/password mechanism.  However, once you log in the first time,
you can associate an OpenID with the account, and presumably never need
the password again.

> > *  Should email verification process still occur?
> 
> Yes. We don't want a user in Bugzilla without a valid email.

Long-term, I can see this being site configurable.  Some sites may want
to insist on having valid email on record, other sites may not.  Some
users may prefer to be able to submit a bug without submitting their
email, and don't mind missing out on email notification.  However, with
bug reports, I imagine the development teams will probably be forced to
close out vague reports due to not being able to contact the reporter.
OpenID-only logins aren't completely anonymous, but currently lack a
standard push messaging mechanism.

> > *  Should a confirm hash style verification (ala Mailman or GForge) be
> > created, as opposed to mailing a password to the user?
> 
> Why not use the existing Token mechanism?

/me looks.

Hey, whaddya know!  :)  I saw that the standard new account creation
mechanism just pushed out a password rather than a login token, so I
just assumed that there wasn't a token mechanism.

Any philosophical reason why Token isn't used for new account creation,
or is it just a bit of cleanup that's always been below the cut line?

> > *  How should createaccount.cgi modification be done?
> 
> This is a rather open question :-)

Indeed.  I decided to narrow the question quite a bit by punting on
it  :)  The first version will just use standard account creation.

For the long term, it's tempting to restructure this code, creating a
new Bugzilla->create_account($cgi) method, and moving the bulk of the
current code into Bugzilla/Auth/Login/WWW/CGI.pm, or perhaps create
Bugzilla/Auth/Create/WWW/CGI.pm along with
Bugzilla/Auth/Create/WWW/OpenID.pm.

Rob





More information about the developers mailing list