From the Drupal list: OpenID login architecture questions
fen at 2idi.com
Thu Feb 9 23:17:56 UTC 2006
Here's something interesting from the Drupal development list.
While I would rather see an i-name or YADIS login since OpenID has no
capability for profile data sharing, nonetheless OpenID has a large number of
users (via LiveJournal) and they are attacking a problem that many sites will
experience: how to distribute currently centralized passworded authentication.
In particular, Drupal enjoys a very large user base and creating a better
login for Drupal would help us all.
I've heard there's an i-name Drupal login project underway - hopefully I am
not mistaken. Is there also a YADIS login project? Is there anyone on either
team who might be able to offer some insights here?
Over the longer term, my hope is that OpenID migrates towards YADIS (which is
more i-name friendly) but for now, helping one helps us all.
-------- Original Message --------
Date: Thu, 9 Feb 2006 14:21:54 -0800
From: Jonathan Daugherty <cygnus at janrain.com>
To: development at drupal.org
Subject: [development] OpenID
A few months ago, a co-worker of mine created a Drupal module to
support OpenID logins. The module was based on Dan Libby's PHP OpenID
library. For anyone wanting to catch up, it was discussed here:
Some other OpenID discussion is here:
I've taken over the development of the module and I've updated the
module to use the JanRain PHP OpenID implementation, which is a
feature-complete port of our Python library. Our PHP library can be
Here is a link to the current module source, which is under fairly
Since authentication in general is probably a topic of considerable
interest to you all, I want to be sure the OpenID module measures up.
I've tried to be sure I understand Drupal's authentication internals
and the role OpenID can play, but please correct me where appropriate.
Here are some notes about the module:
- The plugin declares a block hook and provides a one-field OpenID
login form that appears in the left navbar. The module is not
really an authentication module because it doesn't declare an
appropriate authentication hook (username at server syntax won't work
for OpenID). Various other callbacks in the module handle the
OpenID authentication steps and set $user when appropriate.
- If you log in with an OpenID and don't have a local Drupal account,
an account is created for you with the appropriate authmap record.
However, you'll be prompted for an email address upon successful
OpenID authentication *before* the Drupal account is created. (My
goal here is to make sure any kind of profile info needed is
collected before the OpenID-auth'd user is allowed into Drupal.)
- My major concern is how to blend OpenID with existing accounts so
users can choose to use OpenID for their accounts. On my drupal
installation, I can log in with a username and password or OpenID
to access the same account, provided the appropriate authmap record
is present (which I created manually). The use case we can think
of here is, "I'm already known as johnboy on this Drupal
installation, but I want to access the johnboy account with an
OpenID now. How can I tell Drupal about that?" I'm thinking that
the OpenID module can implement a form to let users configure this,
but it will probably involve setting the users.pass field to NULL.
What do you think? Do you have any recommendations for how we should
go about doing this? What would be consistent for your futuristic
vision of Drupal authentication? Any feedback would be much
More information about the yadis