[Moin-user] OpenID authentication with MoinMoin

Kevin Turner kevin at janrain.com
Mon Dec 19 19:00:03 EST 2005 

I've got an OpenID auth plugin for MoinMoin 1.5 working now, code
currently attached to
http://moinmoin.wikiwikiweb.de/FeatureRequests/OpenIDSupport

Please give it a look, try it out if you can, and let me know how it
goes.

It's implemented by adding an "openid_url" user preference and then
having the auth method scan the userlist for a user with a matching
record.  It sounds like there are lots of similarities between the
requirements for this and the requirements for the LDAP authenticator
that some folks are working on.

In response to the question someone posed on the AuthLDAP page, "Why you
want 2 different names for the wiki user name and login name?"  Well, as
someone already mentioned, login names are ugly.  And they are
restricted in what characters they can contain.  Most notably for
OpenID, they cannot contain /, which is a problem.

There are some limitations in my implementation which I've documented in
the code, but I'll reproduce here in hopes of getting some discussion
started on ways to resolve them.

 - No indication on the login form that it accepts OpenID.

 - Lack of feedback to the user.  There are a number of ways a user
   can fail to authenticate, and sometimes we allow MoinMoin to fall
   back to another authentication method, and sometimes we deny the
   request outright.  But while some cases are logged, the user gets
   no information about why they were not logged in.  It's impossible
   for them to tell if their OpenID was not found in the user database
   or if their server is down or if we had a problem parsing their
   input.  While it is in some cases advisable to hold back
   information so as not to leak it to attackers, feedback in most of
   the error cases is really only useful to a user in an honest login
   attempt.

 - There is no validation of OpenID URL upon setting it in
   UserPreferences.  This leads to several potential problems.  The
   user won't be prompted to correct an invalid or unusable value.  No
   check is performed to ensure that the OpenID is unique within the
   user database, or that the user is authorized to use that OpenID.

   This leads to a per-user denial of service attack: If Alice wants
   to harass Bob, she can enter Bob's OpenID in her preferences.  This
   will not give Alice access to Bob's account; rather, it may
   (depending on who comes first in the user table) cause Bob to log
   in as Alice when he logs in with OpenID.  If Bob notices, he can
   then fix the preferences for that account, but it's a nuisance at
   best.

   Again, it does not seem possible to correct this as a standalone
   authentication module, as no hooks for the processing of the
   UserPreferences form are provided by MoinMoin 1.5.  The solution to
   this lies in either revising the MoinMoin API or folding this code
   into the MoinMoin core.

 - User creation.  Ideally, one should be able to create an account with
   an OpenID and never set a password in MoinMoin at all.  With
   user_autocreate in the wiki configuration this is partially implemented,
   but users will quickly find that the userform code really doesn't want
   to let them through that screen without setting a password and an email
   address.



Cheers,

 - Kevin
   openidenabled.com

-- 
The moon is waning gibbous, 84.5% illuminated, 18.6 days old.

More information about the Moin-user mailing list