View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 974 | Composr non-bundled addons | General / Uncategorised | public | 2013-01-15 01:01 | 2022-08-15 15:46 |
| Reporter | Chris Graham | Assigned To | Chris Graham | ||
| Priority | normal | Severity | feature | ||
| Status | resolved | Resolution | fixed | ||
| Summary | 974: Implement oAuth login framework | ||||
| Description | Create a new oauth addon. Take oAuth1 code from either the Twitter or Vimeo APIs, and put it into a new Composr oAuth1 code file. [if this code proves too specific, use a PHP oAuth client library such as http://code.google.com/p/oauth-php/ or https://github.com/jrconlin/oauthsimple/tree/master/php or https://code.google.com/p/oauth/ or http://www.phpclasses.org/package/7700-PHP-Authorize-and-access-APIs-using-OAuth.html] Move the oAuth2 code out from being inside the gallery_syndication addon into the oauth addon. Also put the above oAuth1 code into the oauth addon. The gallery_syndication addon will now have a dependency on the new oauth addon. Implement support for maintaining oAuth logins to Conversr. Store a password-compat-scheme value of "oauth_<provider_name>". Store oauth_access_token & oauth_access_token_secret & oauth_provider_name as cookies on the users machine. Change the Facebook addon to work via server-side oAuth. This mostly means removing code. For each oAuth login we want to support, we need to add a hook. Each hook will have the following methods: - install_config_options - is_enabled - render_login_button - authorise_oauth_login - get_credentials_from_browser As oAuth doesn't define any way of getting credentials (*), the credential code will be separately implemented in each hook. Either hooks will implement new code directly to access a service's API, or they will tie into a bundled PHP library to do the task. * Except for Apple, GitLab, Google supporting OpenID Connect, which is built on top of oAuth The following oAuth login hooks should be implemented: - Yahoo - (Other good ones for possible implementation consideration, but not covered in this task: Microsoft Live, GitHub, GitLab, Instagram, Reddit, Sina Weibo, Stack Exchange, Yandex, VK, LinkedIn, Apple, Dropbox) Add a block that renders the login buttons of all enabled oAuth login hooks. Place this button in various templates, where Facebook buttons used to be. Implement a logout feature, that deletes the cookies. | ||||
| Additional Information | Philosophically, this is a killing off of OpenID (*). This was always a mess interface-wise, users didn't understand it due to complexity, and it required a lot of UI consideration, as well as being considered very insecure. * OpenID Connect is actually built on oAuth though oAuth is nicer because it requires just buttons, no need to enter login details, and because you can see the SSL certificate from the service being logged in with before you agree to it. oAuth is becoming the standard, although WebID and BrowserID want to be the standard, and OpenID is still politically active. This also can kill off the old Facebook Connect Javascript code, and instead use Facebook as just another oAuth provider. The result is a nice unification of functionality. The Twitter and Vimeo addons will continue to have their own oAuth code, as this is built into the client libraries we integrate (Facebook will too, but will be used only for the site-auth and not for the user-auth). This is not a problem, these can continue to provide their own token management, as these tokens are used for specialist purposes in each case rather than for user login. It would be nice to remove the duplication, but not worth maintaining library forks over. | ||||
| Tags | Type: External dependency, Type: External social media integration, Type: Security | ||||
| Attach Tags | |||||
| Time estimation (hours) | 16 | ||||
| Sponsorship open | |||||
| related to | 2960 | Closed | Chris Graham | Composr | Google Analytics integration |
| related to | 2980 | Resolved | Chris Graham | Composr documentation | Social media integration review and documentation |
| related to | 3581 | Not Assigned | Guest | Composr | Web Authentication (passwordless login matching private keys on phones to public keys on websites being logged into) [passkeys] |
|
|
And... OpenID is back, with OpenID connect, which companies are getting behind. It is now based on oAuth, so things are coming together in a positive way. http://techcrunch.com/2014/02/26/openid-foundation-launches-openid-connect-identity-protocol-with-support-from-google-microsoft-others/ Meanwhile, Mozilla has dropped Persona, which I consider good news, people are getting in line with a single stack of standards. Given all this, probably this issue is now about implementing OpenID connect. |
|
|
We can look at Google's "Site Verification API" if we implement a strong oAuth framework, as this will let people verify their sites for Webmaster Tools very easily. Also Google Analytics APIs. |
|
|
Discussed on live chat, the following were all the social networks people were interested in for oAuth login: Facebook, Twitter, Google. |
|
|
Covered on this spreadsheet: https://docs.google.com/spreadsheets/d/1_yaJeGzDIsxq33I7Wg9I-lTBDk3YS22WPBwJ971v5tI |
|
|
Implemented with Hybridauth. I've improved Hybridauth a lot so it can meet our needs, and to bring the project forward generally. It's a little different to described in this issue, but better. Composr's own OAuth implementation, used for non-login APIs, is unchanged. It's best to just leave that alone for what it is good for and have Hybridauth fully handle login integration with its own more advanced OAuth implementation. Google Analytics APIs have already been used by the new v11 stats addon. Google's "Site Verification API" is not actually interesting on review. People can always set a CNAME record or something, so I don't know what problem we'd really be solving with it, really we'd just be making Google a special snowflake for no good reason. |
|
|
This issue was a v12 bedrock issue, but I've done it for v11 as I always hated our Facebook login integration and how it used JS. Having it all go through a nice standardised server-side OAuth library, along with other integrations, is really nice. And I need it for a client site. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2016-12-08 16:08 | Chris Graham | Relationship deleted | child of 2020 |
| 2016-12-08 16:09 | Chris Graham | Tag Attached: Type: External social media integration | |
| 2017-07-15 16:17 | Chris Graham | Note Added: 0005170 | |
| 2017-07-19 22:40 | Chris Graham | Note Edited: 0005170 | |
| 2017-08-29 01:27 | Chris Graham | Relationship added | related to 2960 |
| 2017-12-31 03:50 | Chris Graham | Note Added: 0005332 | |
| 2018-03-06 05:30 | Chris Graham | Relationship added | related to 2980 |
| 2018-03-06 05:31 | Chris Graham | Note Added: 0005551 | |
| 2018-04-11 01:15 | Chris Graham | Relationship added | related to 3581 |
| 2019-03-04 18:28 | Chris Graham | Tag Attached: Type: Security | |
| 2019-06-27 19:00 | Chris Graham | Tag Attached: Roadmap: v12 | |
| 2019-06-27 19:46 | Chris Graham | Tag Attached: Type: External dependency | |
| 2020-08-29 02:42 | Chris Graham | Description Updated | |
| 2020-08-29 02:42 | Chris Graham | Additional Information Updated | |
| 2020-09-07 18:28 | Chris Graham | Assigned To | => Chris Graham |
| 2020-09-07 18:28 | Chris Graham | Status | Not Assigned => Resolved |
| 2020-09-07 18:28 | Chris Graham | Resolution | open => fixed |
| 2020-09-07 18:28 | Chris Graham | Note Added: 0006691 | |
| 2020-09-07 18:30 | Chris Graham | Note Added: 0006692 | |
| 2022-08-15 15:46 | Chris Graham | Tag Detached: Roadmap: v12 | |
| 2023-02-26 18:29 | Chris Graham | Category | General => General / Uncategorised |
