DEPRECATION WARNING
This documentation is not using the current rendering mechanism and is probably outdated. The extension maintainer should switch to the new system. Details on how to use the rendering mechanism can be found here.
EXT: OpenID¶
Author: | Kasper Skårhøj |
---|---|
Created: | 2002-11-01T00:32:00 |
Changed: | 2007-10-01T11:38:21 |
Author: | Dietrich Heise |
Email: | typo3-ext@naw.info |
Info 3: | |
Info 4: |
EXT: OpenID¶
Extension Key: naw_openid
Copyright 2007, Dietrich Heise, typo3-ext@naw.info
naw.info GmbH: www.naw.info
This document is published under the Open Content License
available from http://www.opencontent.org/opl.shtml
The content of this document is related to TYPO3
- a GNU/GPL CMS/Framework available from www.typo3.com
Table of Contents¶
EXT: OpenID 1
Introduction 2
What does it do? 2
Requirements 2
Screenshots 2
Users manual 4
Configuration 5
Installation 5
TypoScript Reference 5
Fields provided by OpenID (“sreg definition”) and their mapping to TYPO3 7
Tutorial 7
Known problems 7
Current limitations 7
Pitfalls to avoid 7
TODO 8
Introduction¶
What does it do?¶
- This extension lets your users log in (optionally: create accounts) using the OpenID standard
- What is OpenID: OpenID is a decentralized single sign-on system. It allows end users to register and sign on to websites without maintaining e.g. username or password everywhere. Instead, OpenID lets users use one (optionally: multiple) single point of authentication (called “OpenID provider”) of their choice.
- For details on OpenID you may start with http://en.wikipedia.org/wiki/OpenID
Features:
- OpenID logon form (can be used stand-alone or together with the traditional logon box)
- Account creation: If permitted, new users can be created automatically, using the data provided from OpenID. Required and optional fields can be configured by TypoScript.
- Account merging: Users can associate their OpenID to existing traditional user accounts
- Multiple OpenIDs: Each TYPO3 account can have multiple OpenID identities attached
- OpenID management: Users can edit the OpenIDs attached to their account [not yet described in this documentation]
Requirements¶
- Verified to run with TYPO3 versions 3.8.1 and 4.x
- curl required
Screenshots¶
Figure 1: Both login forms on one page
After providing a valid OpenID for the first time, you can either assign that OpenID to an existing TYPO3 user account, or you can create a new account (if allowed by TypoScript). This is called the “First-Time OpenID” dialog.
Figure 2: Page after response from OpenID server (at first time login only). This is called the “ **First-Time OpenID”* dialog.*
[No screenshot for edit mode yet.]
Users manual¶
The OpenID frontend plugin has two modes:
- Login mode – provides OpenID login form (plus the follow-up “First- Time OpenID” dialog; see above)
- Edit mode – allows authenticated users to edit their OpenID associations [not yet described in this documentation]
Figure 3: Insert plugin OpenID
OpenIDs records are stored in a sysfolder. If OpenID creates new frontend user records, these are of stored in the same sysfolder. See TypoScript Reference for details.
Figure 4: Users and OpenIDs stored in the backend
Configuration¶
Installation¶
Install the extension through the TYPO3 extension manager.
During activation, allow the openid database table to be created.
No further configuration is needed at this point.
TypoScript Reference¶
You need to configure some TypoScript, and you can modify the HTML template.
The default HTML template can be found in the /res folder of this extension.
The extension comes with a static TypoScript template that can be included instead of manually setting everything.
template¶
Property
template
Data type
string
Description
File name of the HTML template
Default
EXT:naw_openid/res/template_en.html
openid_required¶
Property
openid_required
Data type
string
Description
Fields that are mandatory to be received from the OpenID provider(colon separated list of valid “sreg“ fields – see table below)
Default
email,fullname
openid_optional¶
Property
openid_optional
Data type
string
Description
Fields that are optional to be received from the OpenID provider(colon separated list of valid “sreg“ fields – see table below)
Default
nickname,gender,postcode
updateFieldsFromOpenID¶
Property
updateFieldsFromOpenID
Data type
boolean
Description
If set, TYPO3 will fill in missing user data when received from OpenID at subsequent logins. If fields are not empty in TYPO3 they will not be overwritten, though.
Default
1
forceUpdateFieldsFromOpenID¶
Property
forceUpdateFieldsFromOpenID
Data type
boolean
Description
If set, TYPO3 will dynamically update (overwrite) all user data as received from OpenID at subsequent logins
Default
0
allowRegisterNewUser¶
Property
allowRegisterNewUser
Data type
boolean
Description
If set, an authenticated first-time OpenID user can create a new TYPO3 fe_user account (as a replacement of the traditional fe user self registration). Otherwise, an OpenID can only be associated to an existing account.
Default
1
defaultUsergroupNewUser¶
Property
defaultUsergroupNewUser
Data type
int
Description
The ID of the user group that an OpenID-created TYPO3 account belongs to
Default
fe_user_pid¶
Property
fe_user_pid
Data type
string
Description
Sysfolders where fe_users are stored that are allowed to be associated to an OpenID. Typically, make sure to include the fe_user_pid_create sysfolder's ID here.(colon separated list)
Default
fe_user_pid_create¶
Property
fe_user_pid_create
Data type
int
Description
The sysfolder where OpenID records and OpenID-created fe_users are placed
Default
responsePageUIDfromOpenIDServer¶
Property
responsePageUIDfromOpenIDServer
Data type
string
Description
Defines where the “First-Time OpenID” dialog is to be shown.
If your OpenID logon form is on the same page with a traditional login box, it will probably be confusing to show that dialog next to the normal login box. The solution is to place the plugin again, on a different page, and point to it here.
- self = same page
- <page ID> = page indicated
Default
'self'
RedirectInsteadOfSessionGenerated¶
Property
RedirectInsteadOfSessionGenerated
Data type
string
Description
Defines where to redirect after successful logon.
This redirect is particulary recommended when you have a login box on the same page, because otherwise that element would notice that the user has been logged in.
- 0 = deactivated (do not do this extra redirect)
- self = redirect to same page
- <page ID> = redirect to page indicated
Default
0
openid_validate.username¶
Property
openid_validate.username
Data type
string
Description
Defines how to sanitize the username that is received from OpenID (regular expression)
Default
[^a-z0-9-_.@]
openid_validate.email¶
Property
openid_validate.email
Data type
string
Description
Defines how to sanitize the email address that is received from OpenID (regular expression)
Default
[^a-zA-Z0-9-_.@]
openid_validate.fullname¶
Property
openid_validate.fullname
Data type
string
Description
Defines how to sanitize the “full name” value that is received from OpenID (regular expression)
Default
[^a-zA-Z0-9-_.@äöüÄÖÜ]
Fields provided by OpenID (“sreg definition”) and their mapping to TYPO3¶
openid.sreg.nickname¶
a
openid.sreg.nickname
b
suggestion for the username
openid.sreg.email¶
a
openid.sreg.email
b
fe_users:email
openid.sreg.fullname¶
a
openid.sreg.fullname
b
fe_users:name
openid.sreg.dob¶
a
openid.sreg.dob
b
- unused -
openid.sreg.gender¶
a
openid.sreg.gender
b
fe_users:gender
openid.sreg.postcode¶
a
openid.sreg.postcode
b
fe_users:zip
openid.sreg.country¶
a
openid.sreg.country
b
- unused -
openid.sreg.language¶
a
openid.sreg.language
b
- unused -
openid.sreg.timezone¶
a
openid.sreg.timezone
b
- unused -
Tutorial¶
This is an step-by-step example for a simple but nice OpenID integration on your web site.
- Make sure curl is available on your server
- Install the extension naw_openid
- Place the OpenID frontend plugin e.g. underneath your regular logon box. Set it to “loginbox” mode.
- For user convenience: Create an extra page named “First-Time OpenID”, set it to “not in menu”, and remember the page's ID. Sample value: 188
- Also place the OpenID frontend plugin on the “First-Time OpenID” page, an also set it to “loginbox” mode.
- Define where you want new OpenID records to be stored (you may want to create one or use your normal fe_user sysfolder), and remember that sysfolder's ID.Note: In this example, OpenID-created users are allowed, and will be stored in the same folder as the OpenID records. In other cases you may want to disallow automatic user creation through OpenID. Sample value: 189
- Find out the ID of other sysfolders where fe_users are stored that are allowed to be associated to OpenID identities. Sample value: 67,165
- Decide what user group OpenID-created users should belong to, and remember that group's ID. Sample value: 5
- Include the naw_openid static template, and edit your TypoScript Setup:
plugin.tx_nawopenid_pi1 {
fe_user_pid = 67,165,189
fe_user_pid_create = 189
DefaultUsergroupNewUser = 5
responsePageUIDfromOpenIDServer = 188
}
Done!
You may also want to edit your HTML template, especially if you want to link to an own explanation page.
For further and more detailed configuration options, see the TypoScript section above.
Also consider providing edit capabilities to the users by placing the OpenID plugin in edit mode at an appropriate location.
Known problems¶
Current limitations¶
The “gender” field seems to be mandatory at the OpenID provider side even if set to “optional”, or unset.
Pitfalls to avoid¶
Make sure the plugin instance that is used for the “First Time OpenID” dialog is not set to “hide after login” (otherwise the “associate” process will not finalize)
TODO¶
- Documentation of “OpenID management” mode
- OpenID for backend users
- Customizable field OpenID mapping (e.g. to tt_address fields)
- Email notification, e.g. when a new user was created
- Semi-automatic OpenID user creation (i.e. with administrative clearing)
EXT: OpenID - 8