FS#10703 - Implement OpenID to link Arch pages.

Attached to Project: Arch Linux
Opened by Gavin Bisesi (Daenyth) - Thursday, 19 June 2008, 23:21 GMT
Last edited by Dan McGee (toofishes) - Monday, 19 November 2012, 02:07 GMT
Task Type Feature Request
Category Web Sites
Status Closed
Assigned To Paul Mattal (paul)
Pierre Schmitz (Pierre)
Dan McGee (toofishes)
Andrea Scarpino (BaSh)
Architecture All
Severity Low
Priority Normal
Reported Version 2007.08-2
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 50
Private No


I think that rather than having so many different logins, it would make a whole lot of sense to track them all together. Even if the various parts of the site didn't share a user database, using an OpenID would still help things.

This task depends upon

Closed by  Dan McGee (toofishes)
Monday, 19 November 2012, 02:07 GMT
Reason for closing:  Won't implement
Comment by Greg (dolby) - Thursday, 19 June 2008, 23:31 GMT
When this was requested in the past, and believe me it has, developers always replied with the famous "patches welcome" phrase.
Comment by Gavin Bisesi (Daenyth) - Thursday, 19 June 2008, 23:43 GMT
Yeah, that's the strange thing. I remember reading a discussion about it but when I searched the bug tracker, for Arch and AUR both, including closed ones, I couldn't find any mention of it. I figure the Mediawiki and phpBB thing should be easy enough though.
Comment by Aaron Griffin (phrakture) - Friday, 20 June 2008, 16:34 GMT
I think this would definitely be worth it, but one note - we use punbb, not phpbb. Last I recall, that was one of the blockers.

Dusty, Simo, do you guys have anything against this? I know cactus had issues with OpenID, but don't recall what they were
Comment by Dusty Phillips (Dusty) - Friday, 20 June 2008, 17:53 GMT
I haven't heard of OpenID , I don't have an opinion on it one way or the other.

A quick google search indicates that punbb does not support OpenID at this time, but its on a wishlist, whatever that means.

I'm still sleeping on the idea of writing a huge new system entirely in django that integrates forum, aur, wiki, flyspray and the current archweb sites. This is something I have wanted for years and have never had the gumption to implement. I'm still evaluating my gumption levels. ;-) If I decide I have the time and can encourage a big enough team to pull this off, it would make this ticket a lot less attractive.

Comment by Tomas Mudrunka (harvie) - Wednesday, 20 May 2009, 16:01 GMT
it would be VERY usefull. i don't use some parts of archlinux website, since i don't want to keep 10 passwords for one website ;(
Comment by (webmeister) - Monday, 10 August 2009, 18:25 GMT
PunBB now supports OpenID using this extension: http://punbb.informer.com/forums/topic/21989/extension-openid/
Comment by Gavin Bisesi (Daenyth) - Wednesday, 11 November 2009, 15:45 GMT
Would the main blocker for this now be AUR support? Also, would it be possible to migrate "old" accounts to use this? Perhaps put an OpenID provider on our web server itself?
Comment by Mark (markg85) - Saturday, 20 February 2010, 13:55 GMT
Just wondering one thing. As far as i know you would still be stuck with x number of logins even if OpenID is used for all of ArchLinux. You would still have to login for the forum, the wiki, bug reporting etcetera... It's just that registering becomes a whole lot easier.

So, why not make one "unified" login database. So that when you're logged in on the forum your automatically logged in on other arch places. Once you have that you can "think" about OpenID.
I would say: merge the forum user table, wiki user table, flyspray user table, aur user table and probably a few others. Make a plugin for each script so they use the data from the merged user table.
Comment by Jakub Vitak (mainiak) - Saturday, 20 February 2010, 17:17 GMT
Dear, Mark.

I am only user - not a developer - but I have question for you.

Consider that I have account on several portals and I should maintain logins for all of them.
If somebody will merge AUR+WIKI+BUGS in way you have suggested, I would have to mainitan N-2 passwords still.

But if OpenID support will be implemented, and there would be OpenID support for other (non-Arch) portals I am using,
I could type my password only once time for all portals! And if I change password it will happen everywhere.

So I think your idea is not bad - but is half step from OpenID - and half steps sucks.

Nice day.
Comment by Mark (markg85) - Saturday, 20 February 2010, 17:30 GMT
@Jakub Vitak

Not entirely.
It would work, if done properly, like this: (assuming you register at arch)
- You register at any arch location (wiki, forum, bug, aur etc)
- You can then log in in either of those locations BUT once you login you will be logged in at ALL of those locations.
- You only login once

It's kinda like OpenID only without.. OpenID :)
I personally am not a big fan of OpenID I personally would prefer keeping sensitive things like login information in one database that you can see, manipulate r even delete.. OpenID is just somewhat odd.
Comment by Jakub Vitak (mainiak) - Saturday, 20 February 2010, 17:34 GMT

Ok. We have each own opinion - but thank you for explanation.
Comment by Tomas Mudrunka (harvie) - Saturday, 20 February 2010, 19:13 GMT
once openID will be implemented, we can decide to create own openID provider and accept logins only from archlinux openID provider.
openID does not mean that you need to accept openIDs from 3rd party domains.
like facebook is using XMPP but they accept only converations between their own servers...
Comment by Jakub Vitak (mainiak) - Saturday, 20 February 2010, 19:54 GMT
Ouch :-/
Comment by Gaurish Sharma (gary4gar) - Sunday, 17 October 2010, 22:29 GMT
Wanted to revive discussion on this bug report. I think what arch really needs is Single-Action Sign On(SSO) system where you login once and get logged in at bug tracker,wiki,forums and all. I think, OpenID can by default provide SSO system but its not a single action. so I do have enter my id. if not the password. plus, openid is designed for internet to share login third parties which might not trust each.

whereas in Arch's case, every service we have to integrate is on same domain, so modifying cookie path and more magic might do the trick.
Comment by Tomas Mudrunka (harvie) - Monday, 18 October 2010, 18:51 GMT
gary4gar: i've got simple idea (more likely to be called ugly workaround :-)
we can have some static HTML page with input boxes where we'll enter our login and password and then some javascript will send HTML requests that are needed to login on all archlinux pages. It's like "reverse-openid".

- it's really ugly solution
- you need to have same passwords on all archlinux portals
- you need to send the same password across multiple network connections

+ it can be done in tens of minutes by intermediate javascript programmer
+ it can save thousands of logins before openid will be properly implemented
Comment by Gaurish Sharma (gary4gar) - Monday, 18 October 2010, 19:15 GMT
This seems like a deal breaker, as there are many people who have different passwords.
- you need to have same passwords on all archlinux portals

Plus, not everyone has same username on wiki,aur,forums & bug tracker. sometimes owner of username on forum is different, with owner of same username on wiki.

I think we need a solution, which:
1) Does not break existing set of username & passwords(IMPORTANT!)
It simply means is if you got a account at forum. After implementation of new system. user should be able to use that forum username and password; login to rest of Arch sites(wiki,bugtracker,aur).

2) It should be easily maintainable:
Meaning that security upgrades to scripts like MediaWiki, Flyspray etc should not break our Single sing on system. And sys admins of archlinux, should be able upgrade site software. Incase if an patch breaks the system, there should be a fallback login system.

3) It should be Single Action Sign On:
User signs in first at any of the arch sites(wiki,forum,bug tracker & aur). He should be automatically logged in at all other sites. no further action from user should be required. This is where I there is problem with standard OpenID implementation, that it requires some action to be performed at each site incase I want to login. example, I don't have to enter my password but I still need to enter my email id or some other action might be required. If there is some way around this, please let me know.

The above 3 points are according to me requirements for a decent system for our use.
Comment by (webmeister) - Monday, 18 October 2010, 20:55 GMT
gary4gar: Point 3 is no problem when using OpenID. Consider the following steps:
1. User enters his OpenID at x.archlinux.org.
2. x.archlinux.org asks the OpenID provider to authorize the user.
3. x.archlinux.org sets a session cookie "user successfully logged in" to avoid asking the OpenID provider again. This cookie gets deleted when the browser is closed.
4. x.archlinux.org sets a long-term cookie containing the users OpenID entered in step 1. This cookie expires after two years (or whatever you consider "long-term").

So the only time a user has to enter his OpenID is when he visits x.archlinux.org for the very first time. Upon each subsequent visit x.archlinux.org uses the long-term cookie to determine the users OpenID, sends a request to the OpenID provider in the background, and, if the user is logged in at his provider, requires no further user interaction.

The process can be improved by setting the long-term cookie not for the subdomain x.archlinux.org but for the archlinux.org domain. Then, instead of entering his OpenID once for every x.archlinux.org, the user only needs to enter his OpenID at the first x.archlinux.org he visits, which should achieve exactly what you want.
Comment by Gaurish Sharma (gary4gar) - Monday, 18 October 2010, 21:24 GMT
I guess, we can create our own *closed* OpenID provider at login.archlinux.org and accept requests from archlinux.org domain. still this task is complex because of huge number of users registered.

Fluxbb: 36,823users
AUR: 25,198users
MediaWiki: Not Known

We should break this down in steps. Like first attempt to implement OpenID provider at login.archlinux.org and then add openID support at each arch website.

If we can achieve Single Action Sign on using process you suggested(setting a long term cookie). Then OpenID could be used to provide a unified login to all arch pages.
Comment by Dan McGee (toofishes) - Monday, 18 October 2010, 21:27 GMT
Before *any* of this can happen, OpenID support needs to happen in upstream FluxBB and Flyspray. Without that, game over. And the last thing we want to do is have yet another service (private OpenID). This is also probably a no-go.
Comment by Gaurish Sharma (gary4gar) - Monday, 18 October 2010, 21:34 GMT
>>OpenID support needs to happen in upstream FluxBB and Flyspray.
Support can be added but not sure we can get patches merged upstream. They can accept or reject, its something beyond our control. what happens if they show no love for OpenID maybe for technical or idealogical reasons. we do use own modified version or stop dreaming about having a single login for all arch pages?

>>And the last thing we want to do is have yet another service (private OpenID).
Oh, then is appropriate thing to do here?
Comment by (webmeister) - Monday, 18 October 2010, 23:03 GMT
I do not see the point in running a private OpenID provider either. The only reason for doing so is when you do not trust any other OpenID provider, but in the case of Arch, what harm can be done? For everyone who cares about SSO there are enough free OpenID providers to choose from. Everybody else can just continue to use username/password for login, which is also a nice backup in case the OpenID provider is down.

Given the goal of FluxBB to be "light with less of the "not so essential" features" I doubt that there will ever be OpenID support in the FluxBB core. Sadly, FluxBB 1.4 dropped the support of extensions from PunBB/FluxBB 1.3, so the remaining official way of adding features to FluxBB is by direct modification of the source code, which makes updating rather difficult.

So in the near future I see OpenID support neither in FluxBB nor in Flyspray. Therefore we can either let this issue rest until the situation improves or at least implement OpenID support where it is already possible (wiki, AUR). While this would not yet bring SSO to Arch, it would at least:
- remove the need for 2 of 4 logins, especially for those already using OpenID
- reduce the amount of work to be done later, when all prerequisites are met
- allow to experiment with OpenID and its implementation (e.g. the cookies mentioned above)
Comment by Gaurish Sharma (gary4gar) - Monday, 18 October 2010, 23:35 GMT
I agree on "implement OpenID support where it is already possible (wiki, AUR)". This would atleast get things moving which are pretty same since bug was opened back in 2008.

Plus, we would have 2less logins to remember. Do we all agree on this?
Comment by Pierre Schmitz (Pierre) - Tuesday, 19 October 2010, 06:18 GMT
Why not keep it simple and use FluxBB for authentication? This is at least implemented for the Wiki and I am using it for years on archlinux.de. This might not be as cool as openid but a lot simpler. I maintain a MediaWiki plugin for this anyway: http://projects.archlinux.org/vhosts/wiki.archlinux.org.git/tree/extensions/FluxBBAuthPlugin.php

Whatever we use: the migration to that system is the real problem. There might be accounts with the same name which belong to different users. Or users which have a forum account but not a wiki account etc.. In addition to this the different sites have different ideas about password length or allowed characters in usernames. These things should have been implemented right from the beginning...now things are a little more complex.

And I agree to Dan. I wouldn't patch FluxBB or Flyspray for this as this would make maintaining those a lot more work.
Comment by Gaurish Sharma (gary4gar) - Wednesday, 20 October 2010, 08:43 GMT
I think we can go ahead with support for openID in Wiki and AUR? And can think about what do with bugtracker and forums. since, nobody here is interested in maintaining a patched version.

well, I think your implementation is an extentision. AFAIK, support for extensions has been removed from fluxbb but more importantly there is of migration of existing accounts. it can get ugly.
Comment by Eric Belanger (Snowman) - Saturday, 17 November 2012, 11:17 GMT
This bug is over 2 years old. If we're not going to implement this, we should just close it.