Description of OpenID updates in MoinMoin by RowanKerr, commissioned by Canonical.
Available in this hg branch: http://hg.moinmo.in/moin/1.9-openid/ (was merged into: http://hg.moinmo.in/moin/1.9 also)
OpenID Background
This work expands on that of Johannes Berg in MoinMoin 1.7. Learn more about OpenID. For detailed information, or if you are developer, please refer to the OpenID specifications.
Stated simply, OpenID allows you to log in to multiple sites with a single account (represented by a URL). This means fewer passwords to remember and fewer repetitive registration forms to fill out.
MoinMoin uses the python-openid library from JanRain and the Simple Registration extension to transfer identity information from your OpenID provider.
OpenID Relying Party updates
Updated RP to support SREG extension for populating user profiles, and Canonical's Teams extension so that Launchpad Teams can be used to define ACLs in MoinMoin.
SREG requires pytz module to convert named time zones into second-offsets.
SREG Extension
The Simple Registration (SREG) Extension for OpenID makes it possible to move basic profile data between an OpenID Provider and other sites. Available fields are:
- nickname
- fullname
- dob (date of birth)
- gender
- postcode (postal code/zip code)
- country
- language
- timezone
MoinMoin can assign nickname or fullname as Wiki username, and set the values for email, language, timezone in user objects. The SREG fields used during authentication are set as User.auth_attribs so they cannot be edited in MoinMoin directly .. they will be updated from the OpenID Provider each time a user logs in.
Teams Extension
Canonical developed the Teams extension to OpenID to transfer the concept of Team membership in Launchpad to MoinMoin ACLs and Groups. The wikiconfig must specify an array of team names that will be granted access to the wiki, as well as the usual MoinMoin ACL options and the username of an admin account for editing group pages programmatically.
When a user logs in with OpenID, the teams listed in the openidrp_authorized_teams config variable will be requested from the OpenID Provider. When a user authenticates, the common set of requested teams and teams the user is a member of are returned to MoinMoin. Then, the group pages for those teams are updated with the user's name.
Rowan, maybe we have soon a better method than "updating group pages", due to the groups/dicts backends we'll have soon in moin/1.9 - see http://hg.moinmo.in/moin/1.9-groups-dmilajevs/ (was merged into moin/1.9 main repo).
Incidental modifications to non-auth specific files
Some HTML generation functions were updated to have extra options to properly generate the OpenID login screens.
Configuration
from MoinMoin.auth.openidrp import OpenIDAuth
from MoinMoin.auth.openidrp_ext.openidrp_sreg import *
from MoinMoin.auth.openidrp_ext.openidrp_teams import *
# use custom functions to chain OpenID extensions together
def localconfig_openidrp_modify_request(oidreq, cfg):
openidrp_sreg_modify_request(oidreq, cfg)
openidrp_teams_modify_request(oidreq, cfg)
return
def localconfig_openidrp_update_user(info, u, cfg):
u = openidrp_sreg_create_user(info, u, cfg)
u = openidrp_teams_create_user(info, u, cfg)
return u
def localconfig_openidrp_create_user(info, u, cfg):
openidrp_sreg_update_user(info, u, cfg)
openidrp_teams_update_user(info, u, cfg)
return
auth = [
OpenIDAuth(modify_request=localconfig_openidrp_modify_request,
update_user=localconfig_openidrp_update_user,
create_user=localconfig_openidrp_create_user),
...
]
cookie_lifetime = (1, 12)
# use anonymous_cookie_lifetime for 1.7, anonymous_session_lifetime for 1.6
openidrp_allowed_op = []
openidrp_allow_registration = False
openidrp_registration_url = 'http://...'
# configurable SREG request values
# possible values:
# nickname, email, fullname, dob, gender, country, language, timezone
# match these up with OpenIDRP.auth_attribs
# ['name', 'email', 'aliasname', 'language', 'tz_offset']
openidrp_sreg_required = ['nickname', 'email', 'timezone']
openidrp_sreg_optional = ['fullname', 'language']
openidrp_sreg_username_field = 'nickname' #'fullname'
# don't let users change password or have multiple openids
user_form_disable = ['changepass', 'oid']
# remove some options from the large user preferences form
user_form_remove = ['css_url', 'quicklinks'] #'password', 'password1', 'password2']
# OpenID Teams configuration
openidrp_authorized_teams = []
# ACL configuration, based on Teams
DesktopEdition = False
openidrp_acl_admin = 'AclAdmin'
openidrp_acl_page_postfix = 'Team'
acl_rights_default = u'Known:read,write All:read' #,write,delete,revert,admin"
acl_rights_before = u'%s:read,write,delete,revert,admin' % openidrp_acl_admin
acl_hierarchic = True
page_group_regex = ur'(?P<all>(?P<key>\S+)%s)' % openidrp_acl_page_postfix