#974 - Implement oAuth login framework
-
By Chris Graham
- Added
- 12 views
| Identifier | #974 |
|---|---|
| Issue type | Feature request or suggestion |
| Title | Implement oAuth login framework |
| Status | Completed |
| Tags |
Type: External dependency (custom) Type: External social media integration (custom) Type: Security (custom) |
| Handling member | Chris Graham |
| Addon | General / Uncategorised |
| Description | Create a new oauth addon.
Take oAuth1 code from either the Twitter or Vimeo APIs, and put it into a new Composr oAuth1 code file. [if this code proves too specific, use a PHP oAuth client library such as http://code.google.com/p/oauth-php/ or https://github.com/jrconlin/oauthsimple/tree/master/php or https://code.google.com/p/oauth/ or http://www.phpclasses.org/package/7700-PHP-Authorize-and-access-APIs-using-OAuth.html] Move the oAuth2 code out from being inside the gallery_syndication addon into the oauth addon. Also put the above oAuth1 code into the oauth addon. The gallery_syndication addon will now have a dependency on the new oauth addon. Implement support for maintaining oAuth logins to Conversr. Store a password-compat-scheme value of "oauth_<provider_name>". Store oauth_access_token & oauth_access_token_secret & oauth_provider_name as cookies on the users machine. Change the Facebook addon to work via server-side oAuth. This mostly means removing code. For each oAuth login we want to support, we need to add a hook. Each hook will have the following methods: - install_config_options - is_enabled - render_login_button - authorise_oauth_login - get_credentials_from_browser As oAuth doesn't define any way of getting credentials (*), the credential code will be separately implemented in each hook. Either hooks will implement new code directly to access a service's API, or they will tie into a bundled PHP library to do the task. * Except for Apple, GitLab, Google supporting OpenID Connect, which is built on top of oAuth The following oAuth login hooks should be implemented: - Yahoo - (Other good ones for possible implementation consideration, but not covered in this task: Microsoft Live, GitHub, GitLab, Instagram, Reddit, Sina Weibo, Stack Exchange, Yandex, VK, LinkedIn, Apple, Dropbox) Add a block that renders the login buttons of all enabled oAuth login hooks. Place this button in various templates, where Facebook buttons used to be. Implement a logout feature, that deletes the cookies. |
| Steps to reproduce | |
| Additional information | Philosophically, this is a killing off of OpenID (*). This was always a mess interface-wise, users didn't understand it due to complexity, and it required a lot of UI consideration, as well as being considered very insecure.
* OpenID Connect is actually built on oAuth though oAuth is nicer because it requires just buttons, no need to enter login details, and because you can see the SSL certificate from the service being logged in with before you agree to it. oAuth is becoming the standard, although WebID and BrowserID want to be the standard, and OpenID is still politically active. This also can kill off the old Facebook Connect Javascript code, and instead use Facebook as just another oAuth provider. The result is a nice unification of functionality. The Twitter and Vimeo addons will continue to have their own oAuth code, as this is built into the client libraries we integrate (Facebook will too, but will be used only for the site-auth and not for the user-auth). This is not a problem, these can continue to provide their own token management, as these tokens are used for specialist purposes in each case rather than for user login. It would be nice to remove the duplication, but not worth maintaining library forks over. |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
http://techcrunch.com/2014/02/26/openid-foundation-launches-openid-connect-identity-protocol-with-support-from-google-microsoft-others/
Meanwhile, Mozilla has dropped Persona, which I consider good news, people are getting in line with a single stack of standards.
Given all this, probably this issue is now about implementing OpenID connect.
Also Google Analytics APIs.
https://docs.google.com/spreadsheets/d/1_yaJeGzDIsxq33I7Wg9I-lTBDk3YS22WPBwJ971v5tI
It's a little different to described in this issue, but better.
Composr's own OAuth implementation, used for non-login APIs, is unchanged. It's best to just leave that alone for what it is good for and have Hybridauth fully handle login integration with its own more advanced OAuth implementation.
Google Analytics APIs have already been used by the new v11 stats addon.
Google's "Site Verification API" is not actually interesting on review. People can always set a CNAME record or something, so I don't know what problem we'd really be solving with it, really we'd just be making Google a special snowflake for no good reason.