OpenID patches for TYPO3 6.2

TYPO3, the PHP-based content management system, got support for OpenID logins with version 4.3a1 in 2008, which was rolled out in the stable version 4.3.0 in november 2009.

While working on the website for our kindergarden, I took the time to fix a nasty bug and implement some much-needed features. Two of them got merged into TYPO3 6.2, which will be released in march 2014 .

Identifier select

Authentification with OpenID works that way:

  1. Discover the user's identity provider
  2. Let the identity provider do the authentication
  3. Verify the authentication information in your webapp
  4. Mark the user as logged in

Step one usually consists of the user typing in his OpenID identity URL, and the server extracting the identity provider URL from the returned HTML. In this case, the URL given by the user matches his identity URL ("claimed ID") returned by the identity provider after login.

It's also possible to use a generic service provider URL that is simply an XRDS document. In that case, the user's identity URL is different from the XRDS document URL.

Up to now, TYPO3 only supported the first way. It simply failed when the initially given OpenID URL did not match the final one returned by the OpenID server.

Unfortunately, many big providers - Google among them - use this method. But this feature also allows a page to offer a google button, so that users can simply click on it and get logged in.

A bug report

In march 2011, bug #25322 was reported: Google's OpenID provider URL is https://www.google.com/accounts/o8/id, but the final claimed ID will be something like https://www.google.com/accounts/o8/id?id=xyz, and xyz even is different for the same user when he logs into a second website.

My first patch landed in Gerrit 6 months ago.

After me discussing it with Helmut Hummel, Dmitry Dulepov sent in his own patch that didn't even solve the problem. No explanation given why this is necessary.

Luckily, this second patch was abandoned and after only 13(!) patch sets, my fix was merged into TYPO3 git master.

OpenID wizard

With Google giving out different claimed OpenID URLs for each domain a user logs into, you simply cannot know in advance which URL you will get - and thus cannot add the OpenID your TYPO3 backend user.

To solve this problem, I made an OpenID wizard for the TYPO3 backend that can be used to assign an OpenID to backend users. It was tracked in bug #49310 and also took 13 patch sets until it finally got merged into TYPO3 core.

Backend user editor Backend user settings OpenID registration wizard popup

Every user and admin is now able to register an OpenID.

Other patches

Apart from the two mentioned patches, I contributed some more - but they did not get included into the 6.2 LTS release:

Contributing this patches was an incredible frustrating experience. Often, nobody cared and I had to send mails to the mailing list asking for code reviews.

I had to call a core developer to discuss things with him. He promised to look into it, but did not. He told me he has code that does the same; it needs some polishing but would be released soon. It was not.

Then, after 6 months of sending emails to the mailing list begging for reviews, feature freeze settled into the TYPO3 6.2 land. The patches could not be merged anymore.

P.S.: A one-line patch fixing an exit code took 6 months to merge. Talk about resilience.

Written by Christian Weiske.

Comments? Please send an e-mail.