[WIP] OpenId login support

[strk]

Far from ready, but open for contribution (mostly needs
UI and UX)

[stevenroose]

Fixes #185

[ethantkoenig]

Should this be renamed to OpenIDVerify for consistency? It seems that most other names use OpenID instead of Openid?

[ethantkoenig]

Should this be renamed OpenID for consistency?

[strk]

Renamed, although consistency is not the immediate problem with this work ... I wonder if OpenID should just be optionally associated to users who do also have another way to log in, as done with GNUSocial and Friendica, for example. I'm not sure if auto-registration makes sense with OpenID as you still need to provide a username just OpenID would replace your password, basically.

[stevenroose]

@strk I don't think OpenID as an "authentication method" makes a lot of sense. (It is a valid authentication method though, so it does make sense.)

The big advantage I would see from having OpenID is as a way of users to login without having been registered. Just like systems like Discuss allow anyone with an OpenID (even though Discuss requires this to be from a small set of providers) to make contributions in the form of issues or (federated) pull requests.

A possible setup that would benefit greatly from OpenID is the case of single-user usage. Gitea as a self-hosted Git homepage in which only one user has commit access, while he can allow anyone to open issues or request pulls with their OpenID (and a CAPTCHA ofc).

[strk]

I think you'll still want to create a local user for "guests" so to be able to grant them special access to some repos. The OpenID auth method is just a facility for those guests so they don't need to remember yet another password. The "registration" phase is still needed because you want: 1) To assign a username (for referencing) 2) To store an email (for notification) 3) To remember the user preferences I think what should happen in the "OpenID Login" page is that if your OpenID url is valid but not yet registered you're are asked to fill up the form (username/email/captcha?) and then you're in. For an OpenID url to be valid I guess we'd also want it not to be in a blacklist, or to be in a whitelist if given.

[allandegnan]

So actually we (https://github.com/UKHomeOffice) use OpenIDConnect to facilitate single sign on back to a single auth provider and we occasionally use SAML to provide the same thing.

Whilst I'm not saying that the addiontion of this feature itself would make us a gitea shop, not having it is a bit of a blocker when it comes to enteprisr adoption.

[strk]

@allandegnan this pr is about OpenID rather than OpenID Conenct. The difference is that while OpenID allows people to sign in using arbitrary URLS, OpenID Connect requires consumers to know providers in advance, restricting accessibility. I think there's an OpenID Connect extension allowing for discovery of providers, to do something similar to what OpenID does, but I've never seen an implmentation of such a system. Your UKHomeOffice usecase seems to be no different, is that correct ?

We still want to support OpenID Connect but should probably not replace OpenID.
See also #27

[allandegnan]

@strk That makes sense. Thanks for clearing up the nuances between the two standards.

[strk]

Issues to keep in mind while implementing OpenID: https://sites.google.com/site/openidreview/issues

[strk]

I love the way OpenID is implemented in GNUSocial. See an example: https://loadaverage.org/main/openid

How it goes:

• From the login page you have a try OpenID login link
• The OpenID login page asks for OpenID url and remember me option
• If users is found by OpenID url, she's logged in
• If user is not found, a, OpenID Account Setup page is shown, from here user can:
  • connect her OpenID URL to an existing account, in which case the corresponding password is requested
  • create a new user, in which case user and email are requested (defaulting to those communicated by the OpenID provider, if any.

[bkcsoft]

Should probably be Provider or OpenIDProvider (I'm partial to the former)

[strk]

If we take the "dedicated OP login" approach this ErrDelegatedAuth would not be needed. It was just an hack to force OpenID into the chain of "login sources".

[willemvd]

I'm searching through the different issues and pr's , but can find a final decision if OpenId Connect will be support or not.
Can somebody tell me if it is?

Oh and btw, found this library for OpenId Connect, maybe that might help :)
https://github.com/coreos/go-oidc

[strk]

On Mon, Jan 02, 2017 at 03:21:53AM -0800, willemvd wrote: I'm searching through the different issues and pr's , but can find a final decision if OpenId Connect will be support or not. Can somebody tell me if it is?

Free software is driven by do-ocracy. OpenID Connect will be available if anyone will code it. Are you up for it ?

[willemvd]

Guess the answer to my question is a "no" then

To answer your question... no, because I don't have any Go knowledge

[strk]

Your question was about decisions being taken, personally I think decision have no weight until backed up by actual work. To my knowledge there's no code yet for "OpenID Connect" support, but I've heard someone mentioning they'd want to implement it. You may file an issue suggesting it and see if anyone jumps in to provide code.