[gentoo-soc] identity.g.o OpenID provider -- weekly report #1

[gentoo-soc] identity.g.o OpenID provider -- weekly report #1

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 3191 bytes --]

Hello, all.

As announced earlier, my project for this year of GSoC is the deployment
of an OpenID provider on identity.gentoo.org [1]. As stated
in the earlier mail, the main goal is to provide easy-to-use OpenID
identities for all Gentoo developers and at the same time make most
of Gentoo services OpenID-aware.

For those interested in the current development, you can check out
the source code on the github repo [2] and take a look
at the intermediate status/TODO wiki page [3].

Pavlos Ratis (dastergon) is doing an another project for
identity.gentoo.org, with his goal being to provide a webui for
accessing and modifying the LDAP records.


Week #1
=======

Status: on schedule


Tasks done:

- Some working initial OpenID code has been written and integrated with
  the webapp. The webapp supports authenticating user over LDAP, asking
  for permission to submit the identity to the site and submitting
  a proper identity.

- A django database backend has been written for python-openid library
  that utilizes the django ORM to store the OpenID server state data.


Known problems:

- The code lacks proper error responses. However, it's unclear from
  the spec how to properly determine the type of request, especially if
  it's erroneous, and therefore choose a proper response form. I've
  opened a question on stackoverflow [4] as it was suggested
  on the OpenID IRC channel but since I didn't get any answer yet I'm
  going to try the mailing list.

- LDAP connection errors are not reported properly, and end up being
  reported as 'invalid username or password'. This was already reported
  upstream by Theo [5] but we're still waiting for a solution.

- The coding has been done on a separate sub-app which means that
  the login URIs in global settings need to be changed for proper OpenID
  support. This will also make merging the changes a bit harder.

- The code raises an exception whenever a different user is being
  logged in than the one requested by OpenID. This is an assertion done
  in python-openid, the library used for OpenID support, and I have
  submitted a pull request allowing different ID to be used [6].
  However, it's unclear if it's the proper thing to do, therefore I'm
  waiting for upstream to answer it.


Plans for the upcoming week:

- Pull in Pavlos' changes to the webapp UI. Merge my common view
  changes into his new UI.

- Work on integrating the code into the core i.g.o app and cleaning it
  up.

- Implement the proper (or at least semi-proper) error responses.

- Support storing 'always permit this site' preference in the db
  and overriding that preference on login.


[1]:http://article.gmane.org/gmane.linux.gentoo.summer-of-code/1337
[2]:https://github.com/mgorny/identity.gentoo.org
[3]:https://github.com/gentoo/identity.gentoo.org/wiki/TODO_mgorny
[4]:http://stackoverflow.com/questions/17217502/how-to-distinguish-server-side-direct-request-from-an-indirect-request-in-open
[5]:https://groups.google.com/forum/#!topic/django-auth-ldap/utS-Yq_LKPc
[6]:https://github.com/openid/python-openid/pull/61

-- 
Best regards,
Michał Górny

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 966 bytes --]