TYPO3, the PHP-based content management system, got support for OpenID logins with version 4.3a1 in 2008, which was rolled out in the stable version 4.3.0 in november 2009.
While working on the website for our kindergarden, I took the time to fix a nasty bug and implement some much-needed features. Two of them got merged into TYPO3 6.2, which will be released in march 2014 .
Identifier select
Authentification with OpenID works that way:
- Discover the user's identity provider
- Let the identity provider do the authentication
- Verify the authentication information in your webapp
- Mark the user as logged in
Step one usually consists of the user typing in his OpenID identity URL, and the server extracting the identity provider URL from the returned HTML. In this case, the URL given by the user matches his identity URL ("claimed ID") returned by the identity provider after login.
It's also possible to use a generic service provider URL that is simply an XRDS document. In that case, the user's identity URL is different from the XRDS document URL.
Up to now, TYPO3 only supported the first way. It simply failed when the initially given OpenID URL did not match the final one returned by the OpenID server.
Unfortunately, many big providers - Google among them - use this method. But this feature also allows a page to offer a google button, so that users can simply click on it and get logged in.
A bug report
In march 2011, bug #25322 was reported: Google's OpenID provider URL is https://www.google.com/accounts/o8/id, but the final claimed ID will be something like https://www.google.com/accounts/o8/id?id=xyz, and xyz even is different for the same user when he logs into a second website.
My first patch landed in Gerrit 6 months ago.
After me discussing it with Helmut Hummel, Dmitry Dulepov sent in his own patch that didn't even solve the problem. No explanation given why this is necessary.
Luckily, this second patch was abandoned and after only 13(!) patch sets, my fix was merged into TYPO3 git master.
OpenID wizard
With Google giving out different claimed OpenID URLs for each domain a user logs into, you simply cannot know in advance which URL you will get - and thus cannot add the OpenID your TYPO3 backend user.
To solve this problem, I made an OpenID wizard for the TYPO3 backend that can be used to assign an OpenID to backend users. It was tracked in bug #49310 and also took 13 patch sets until it finally got merged into TYPO3 core.
Every user and admin is now able to register an OpenID.
Other patches
Apart from the two mentioned patches, I contributed some more - but they did not get included into the 6.2 LTS release:
- #44127: Hooks for OpenID login process - this patch would allow auto-creation of TYPO3 backend users during OpenID login. Admins would not have to do this by anymore.
- #50545: Pre-fill OpenID backend login field - this patch would make logging in with OpenID a one-click process, since the last used OpenID URL would automatically be pre-filled in the TYPO3 backend login form.
- #51308: Allow registration of different backend login forms - with that feature, we could finally add OpenID provider buttons on the backend login form, or even integrate Account Chooser.
Contributing this patches was an incredible frustrating experience. Often, nobody cared and I had to send mails to the mailing list asking for code reviews.
I had to call a core developer to discuss things with him. He promised to look into it, but did not. He told me he has code that does the same; it needs some polishing but would be released soon. It was not.
Then, after 6 months of sending emails to the mailing list begging for reviews, feature freeze settled into the TYPO3 6.2 land. The patches could not be merged anymore.
P.S.: A one-line patch fixing an exit code took 6 months to merge. Talk about resilience.