OpenID Support

by Aleksandr Vladimirskiy last modified Feb 04, 2009 03:03 AM
This document describes how you can use OpenID with a Plone site.

Introduction

"OpenID is an open, decentralized, free framework for user-centric digital identity." (from http://openid.net)

Up to now individual web sites administrators have had to determine the policy appropriate to their site to identify their users. This has lead to proliferation of a variety of methods of authentication. Majority of the current methods of authentication require a user on the internet to remember a set of username password pairs for each site where they have a unique identity. It may not be possible to avoid storing authentication information for a site where security is a primary concern. On the other hand a Community oriented site, where membership is open to all users on the internet may find it beneficial to rely on a third party identity provider. This way the site administrators' efforts can better focused on building the site's content and identity rather than security related concerns.

OpenID proposes a system where a user sets up a unique "Identifier" in the form of a URI (i.e. johndoe.myopenid.com) at a site that will serve as their "Identity Provider". Web sites supporting OpenID use a user's URI "Identifier" to retrieve authentication credentials from the "Identity Provider". A number of internet services providers are offering OpenIDs to their customers, such as LiveJournal, AOL, Microsoft, etc.

Installing OpenID on Plone 3

You can either choose OpenID support when creating a new Plone instance in the ZMI or install OpenID using Site Setup / Add-on Products. If you added OpenID support when you were creating your Plone instance in the ZMI, and then see that it doesn't appear installed in Add-on Products, don't worry, it is and will work. You can install it there too for consistency's sake.

At this point you should try to login to your site using an OpenID. If you don't have one please follow the instructions in the next section of the how-to. If you do have one skip to the section after that.

Obtaining an OpenID

A number of current providers exist. Identity obtained from any provider will be compatible with an OpenID enabled Plone site. A list of providers is available on the openid wiki page http://openid.net/wiki/index.php/OpenIDServers If you're setting up a new Plone site and plan to support OpenID, obtain an identity since it will be invaluable when you're testing your new set up. A site or service provider you already use may be providing you with an OpenID, please check with them so that you're not inadvertently creating multiple identities for yourself. After all OpenID was created to minimize the number of usernames you were keeping.

Using OpenID with Plone 3

Browse to your Plone instance. If you were logged in, you may consider starting a second browser so that you can retain your login and test OpenID at the same time.

If you installed OpenID you'll notice the OpenID Log in portlet being displayed bellow the default Log in portlet. Both methods of authentication are available to your users. Enter your OpenID identity into the OpenID URL field and press Log in.

openid-login-portlet.jpg

Depending on the settings you chose while creating your OpenID your browser will perform authentication or it will be automatically forwarded to the authentication page hosted by your OpenID provider, where you'll be asked to enter your password. Once authentication takes place your browser will return to your Plone site and you'll see that you're logged in - your OpenID will be displayed in the upper right corner of the page.

openid-no-permissions.jpg/image_mini

At this point you may browse the site and will notice that you didn't get any new options, that's because by default the OpenID authenticated users are members of the Authenticated virtual group on your site and can do little more than manage their own personal info.

In order for OpenID users to be able to interact with the content of your site you may consider granting them the Contributor role. The Contributor role is a new feature in Plone 3 and is part of the Community workflow, the default workflow selected in a brand new Plone instance. Users with the Contributor role are able to create new content on your site, while site administrators are able to review and publish it. You may wish to assign the contributor role to the Authenticated group globally, or if you're security conscious, assign it on a particular folder. This way you'll be sure that the OpenID users are only able to create content in the location of your choice.

openid-community-folder-sharing.jpg/image_preview

Switch to the browser where you were logged in as an administrator(Manager) user, and add a new folder. Title it, "Community Content" for example, and click save. Click the Sharing tab and check the "Can add" box for Logged-in users and save.

Switch to the browser you used to login with an OpenID and refresh. You'll notice the new folder. Browse to it and you'll see that the familiar green outline appears and the Add new... menu contains the content items you can add to the folder.

openid-with-permissions.jpg/image_mini

Conclusion

You should now be able to add OpenID support to your Plone 3 site. Please consider reading other documentation on this site that will describe related subjects such as roles, permissions and security.

Software Requirements

  • Plone 3.0
  • python-openid