1 (edited by webmeister 2014-05-29 17:17)

Topic: [Extension] OpenID 1.1.0

Hello,

I'm pleased to announce my OpenID extension for PunBB, as requested in http://punbb.informer.com/forums/topic/ … -support/. It was developed as part of my bachelor thesis. It makes use of JanRain's PHP OpenID Library 2.1.3 from http://www.openidenabled.com. Though the library itself claims to support PHP 4, the extension requires PHP 5.2 due to heavy use of object-oriented features. Because of the library being backwards compatible, it triggers some warnings when using PHP 5. I have fixed those in the library shipping with the extension; otherwise, it's unchanged.

Features

  • login using OpenID (more than one OpenID per account is possible, traditional password-based login too)

  • registration using OpenID (both SReg and AX are supported to request attributes)

  • add/remove OpenIDs to/from existing accounts

  • authentication using OpenID to change password/e-mail address (instead of entering old password)

  • update profile information using OpenID (again, using SReg or AX)

  • list of users OpenIDs in profile (private information)

  • administration: user search includes OpenIDs in results

  • administration: search for OpenIDs

  • English and German localisation

Future ideas

  • OpenID-only accounts: flag indicating if a valid password has been set, if not, hide all password input fields

  • sorting of OpenIDs: allow user to set order or select default OpenID to preselect

Known bugs/limitations

  • An attacker may learn which OpenIDs are registered and which not: a) upon login only for unregistered OpenIDs attribute requests are send, b) when adding an additional OpenID to an account, before authenticating it is first checked, if it is already registered; should this behaviour be changed to not leak any information?

  • CSRF form: the confirmation form provided by PunBB does not work for OpenID requests (*). However, it should never be displayed as a custom csrf token is added to each request and checked accordingly.

  • Timezone is not requested using AX extension: Might as well be an OP bug, as it could only be confirmed for myopenid.com, the only OP I'm aware of that supports the AX extension. Can you confirm this behaviour using another provider or do you know of any other provider supporting AX?

(*) This seems to be a rather complex issue. OPs may choose GET or POST when answering a request. When choosing POST, the csrf token that PunBB expects is (obviously) missing, so the csrf confirmation form is displayed. When PunBB generates the csrf confirmation form, it produces one hidden field per received POST parameter. But it has to add two more fields, e.g. for the csrf token. These additional fields confuse the security mechanisms of the OpenID library and the request is denied. This is most probably a library limitation and I can see no possibility for a workaround. The library uses php://input to read POST parameters, so there is no chance to remove the additional parameters before making library calls.

Tested using

  • PunBB 1.3, 1.3.2, 1.3.4

  • MySQL 5.0, 5.1

  • PostgreSQL 8.3

  • PHP 5.2

Tested providers

  • PHPMyID

  • claimid.com

  • meinguter.name

  • myid.net

  • myopenid.com

  • openid.claimid.com

  • pip.verisignlabs.com

  • xlogon.net

Changes

  • 1.1.0: login using XRIs, changes to data format in database, some simplified code

  • 1.0.4: tested compatibility with PunBB 1.3.0, some minor bugs fixed

  • 1.0.3: fixed no/wrong error message displayed when trying to log in with cookies disabled

  • 1.0.2: fixed adding of table name prefixes

  • 1.0.1: two minor bugs managed to hide on my todo list, fixed in this version

  • 1.0.0: first public release

Download
Download: https://dev.asdn.eu/projects/punbb-openid/files
Git-Repository: git://git.asdn.eu/punbb-openid

Please be aware that this is the first public release of this extension. Though I have tested everything I could think of, there may still be some bugs around, including bugs affecting the security, i.e. permitting someone to login without valid authentication etc. Feel free to use it and please report all problems you may encounter.

Regards,
Alexander

2 (edited by KeyDog 2009-08-08 11:01)

Re: [Extension] OpenID 1.1.0

Impressive release, very professional.
Congrats and thx for the effort!

Any idea why I'd get this error when trying to sign on as a new user:

An error was encountered
The error occurred on line 80 in /[...]/extensions/openid/Ext/PunBB/UserData.php
Database reported: Table '[...].openid_map' doesn't exist (Errno: 1146).

I am using an older version of 1.3 (1.3.2 actually with hotfixes) and just modified min tested so that I could install it...

My database: MySQL Improved 5.1.30
Operating system: FreeBSD
PHP: 5.2.9 -
Accelerator: eAccelerator

Re: [Extension] OpenID 1.1.0

The message indicates that the userid-to-openid mapping table was not created. There are two possible reasons, both seeming unlikely:

1. Your PunBB did not execute the code in the install section of the manifest.xml. This is unlikely, because according to PunBB SVN version 1.3.2 already supported the install section. You can try if this is the reason by removing the oid_store directory in the extension directory and perform the installation again. If the installation code is actually executed, either the oid_store directory should be available again or you should see an error message saying that it could not be created.

2. The SQL query used to create the table failed in your MySQL database, but worked with my PostgreSQL database. This is unlikely because if the query fails you should see an error message too, and because the SQL query works with my MySQL 5.0 database.

You can create the table manually using this command (which is the exact query generated by PunBB's mysqli database layer):

CREATE TABLE openid_map ( openid VARCHAR(255) NOT NULL, userid INT(10) UNSIGNED NOT NULL, PRIMARY KEY (openid) ) ENGINE = MyISAM CHARACTER SET utf8

Re: [Extension] OpenID 1.1.0

Hm okey thanks.
Btw:

Please read before installing
WARNING: your web-server should have write access to FORUM_ROOT/extensions/openid/oid_store/. 

I have that as 755 right?

Re: [Extension] OpenID 1.1.0

If the webserver user is the owner of that directory, yes. Otherwise 777 should help. If you do not know who owns that directory or under which user your webserver runs, simply try to log in using OpenID. If it works, everything is ok, otherwise try to change the access rights.

6 (edited by KeyDog 2009-08-09 13:11)

Re: [Extension] OpenID 1.1.0

ok chrs...
hasn't solved my problem... maybe someone else can try and install it and see if they can do it with no problem on MySQL....
thx for feeback up to now anyway...

Re: [Extension] OpenID 1.1.0

What did you try so far to solve the problem? Did you manually create the missing table? Have you checked if the installation code is executed using the method I described above?

8 (edited by KeyDog 2009-08-12 12:55)

Re: [Extension] OpenID 1.1.0

I've installed tons of other exts on 1.3.2 forums and I tried your extension on 3 different ones (and always get the above error). So knowing that, I didn't plan on creating things manually. I was mainly TESTING it and not needing to install it for use by any means....  if you understand....

I suggest an admin here tests it on MySql - if they or someone can install it without a hitch, I'll go back to find out if my provider is somehow blocking something, or I've forgotten to do something or messed my forums up.

Re: [Extension] OpenID 1.1.0

Thanks for your testing so far. Manually creating the table (and the other things mentioned above) might give us a clue about the cause of the problem. If you can't create the table manually, the forum probably can't too, and I could investigate why the error message is missing.

Anyway, I've now installed the old PunBB 1.3.2 using a MySQL 5.0.51a database with mysqli extension and I was able to install the extension without any problems. My server is not completly identical to your setup, but relatively close (I'm using Ubuntu, not FreeBSD, no accelerator, and my software is slightly older: PHP 5.2.4 instead of 5.2.9, MySQL 5.0 instead of 5.1). I have further verified that all hooks used by my extension are present in the 1.3.2 source code, so if there are no other big changes in the surrounding code, the extension should work with 1.3.2 too (I was able to successfully log in using an OpenID, but I have not tested all other functionality).

And as a last test, I denied the PunBB database user the right to create tables, so the subsequent installation attempt failed saying:

An error was encountered
The error occurred on line 351 in /[...]/include/dblayer/mysqli.php
Database reported: CREATE command denied to user 'punbb'@'localhost' for table 'openid_map' (Errno: 1142).

So, error messages seem to be ok.

10

Re: [Extension] OpenID 1.1.0

OK I just went to the phpMyAdmin area and executed the manual inserting of the table.
That worked!
I could now register with OpenID...

Question remains why the ext doesn't insert the table...
Thx.

Re: [Extension] OpenID 1.1.0

There was a potential problem if you were using table name prefixes. In some queries, the prefix was not added correctly. This has been fixed in 1.0.2. Please try to reproduce the problem using this version.

12 (edited by KeyDog 2009-08-12 15:25)

Re: [Extension] OpenID 1.1.0

I was using table name prefixes!
1.0.2. worked fine now.

You can now change min test to 1.3.2 instead of 1.3.4 !

Thx again.

Re: [Extension] OpenID 1.1.0

Incredible extension, Thanks alot.

Are all the bugs fixed now, should i install it now or its still in beta.

MyFootballCafe.com  is Now Online!

14 (edited by webmeister 2009-08-13 11:21)

Re: [Extension] OpenID 1.1.0

All the bugs that I am aware of are fixed (except those noted in the first post, but nothing critical there). Though I can not guarantee that there are no more, I think it is ready to use. If you still encounter any problems, I'll try to fix it asap.

Re: [Extension] OpenID 1.1.0

Punbb 1.3.4, OpenID 1.0.2 in install

Fatal error: Class 'InvalidArgumentException' not found in /var/www/forum/htdocs/extensions/openid/Ext/OpenID/InvalidIdentifierException.php on line 30

Re: [Extension] OpenID 1.1.0

Which version of PHP do you use?

The InvalidArgumentException is part of the Standard PHP Library which "is available and compiled by default in PHP 5.0.0". The InvalidArgumentException itself is available since 5.1. Other features of the extension require at least PHP 5.2, so this is the minimum version you should use.

17 (edited by KeyDog 2009-08-13 15:00)

Re: [Extension] OpenID 1.1.0

Can you try and log in with an openId at http://punbb-b.keydogbb.info

I've tried with mine and keep getting redirected to claimid website and "unable to log in"

18 (edited by dimkalinux 2009-08-14 07:58)

Re: [Extension] OpenID 1.1.0

webmeister wrote:

Which version of PHP do you use?

The InvalidArgumentException is part of the Standard PHP Library which "is available and compiled by default in PHP 5.0.0". The InvalidArgumentException itself is available since 5.1. Other features of the extension require at least PHP 5.2, so this is the minimum version you should use.


PHP: 5.2.8, MySQL5, Linux server.

19 (edited by webmeister 2009-08-14 13:01)

Re: [Extension] OpenID 1.1.0

KeyDog wrote:

Can you try and log in with an openId at http://punbb-b.keydogbb.info

I've tried with mine and keep getting redirected to claimid website and "unable to log in"

What exactly did you enter as your OpenID? As you might have seen, I was able to successfully log in using 'openid.claimid.com/punbb'.

There were however some flaws when trying to log in with disabled cookies. The default PunBB error message 'You appear to have logged in successfully, however a cookie has not been set.' should be displayed, but instead a misleading message was displayed or no message at all. This has been fixed in 1.0.3.

dimkalinux wrote:

PHP: 5.2.8, MySQL5, Linux server.

This is strange. You didn't compile PHP yourself and somehow managed to disable SPL, did you? Google finds almost no results when searching for the error message, so it does not seem to be a common problem.

Are you able to use other SPL functionality such as this script? If so, please post the output.

<pre>
<?php
var_dump(spl_classes());
?>
</pre>

Edit: Ok, I did some further research, and there seem to be some distributions that disable SPL by default, for example Gentoo. Which distribution do you use?

You can check if SPL is enabled using the output of phpinfo(), there should be a section labelled 'SPL' stating that it is enabled and listing the available interfaces and classes.

20 (edited by KeyDog 2009-08-14 13:07)

Re: [Extension] OpenID 1.1.0

Ok cool I just tested it with the versign service - much better experience. worked!! (pip.versignlabs.com I recommend!). I might have entered a invalid claimid on a few attempts (just the http://claimid.com/name instead of http://openid.claimid.com/name - which you now fixed so it says invalid adress)

As I have captcha activated it also asked me for that when registering back in the forum itself. Just fyi.

Re: [Extension] OpenID 1.1.0

I noticed the captcha too, but I think it is ok the way it is. If you want your users to enter a captcha, they should do so when using an OpenID too (otherwise a spammer might just use his own OpenID provider to bypass the captcha). From the viewpoint of the OpenID extension, the captcha is just some other error that needs to be fixed by the user (as, for example, a duplicate user name). Or did you notice any problems when using OpenID and captcha?

Which extension provides the captcha functionality?

22 (edited by KeyDog 2009-08-14 14:14)

Re: [Extension] OpenID 1.1.0

webmeister wrote:

Which extension provides the captcha functionality?

(Official Extension)
Antispam System
Created by PunBB Development Team.
Version v1.2.
Adds CAPTCHA to the register, login and guest post form.


webmeister wrote:

I noticed the captcha too, but I think it is ok the way it is

Yeah, I think its okay aswell.

webmeister wrote:

Or did you notice any problems when using OpenID and captcha?


No I just mentioned it because it prolongs the registration process.
I guess depending on the openid provider it would be less entering of information - with versign quite a few parameters can be selected/entered....

Edit: Just saw versign does offer One-Click Sign-In - but one just needs to add certain sites as bookmarks....

Re: [Extension] OpenID 1.1.0

KeyDog wrote:

Adds CAPTCHA to the register, login and guest post form.

A captcha on the login form? Isn't that just overkill? In my opinion, this is as good as saying "I don't want anybody to use this forum". Users might be used to enter a captcha once when registering, but every time they want to log in?

What benefit does this provide anyway? To log in, you need to have an account. If you have an account, you have at least once successfully entered the captcha on the registration form. And that means, that you are either human or have successfully broken the algorithm used by the captcha. In both cases, solving another captcha is useless.

KeyDog wrote:

No I just mentioned it because it prolongs the registration process.
I guess depending on the openid provider it would be less entering of information - with versign quite a few parameters can be selected/entered....

Under ideal circumstances, the registration process is completed without any further user interaction after entering the OpenID. Ideal means:

  • OP provides at least username and e-mail address via Simple Registration or Attribute Exchange Extension

  • PunBB does not complain about either of them (username already taken etc.)

  • you don't have to enter a captcha wink

24 (edited by KeyDog 2009-08-14 15:16)

Re: [Extension] OpenID 1.1.0

good points smile
question is: should the pun devs of that ext add an exception for this ext of yours? i.e. best would be if the captcha ext knows that if someone with openid is regsitering or at least logging in, it shouldn't bother asking for captcha entering...

webmeister wrote:

If you want your users to enter a captcha, they should do so when using an OpenID too (otherwise a spammer might just use his own OpenID provider to bypass the captcha)

you think its likely that they easily bypass via own openid provider?

maybe options could be added to captcha ext
a.  disable for openId registrations
b.  disable for openId log ins....

25 (edited by webmeister 2009-08-14 17:35)

Re: [Extension] OpenID 1.1.0

The wiki says, the login captcha is meant to prevent "Bruteforcing the passwords". In this case, I think, it is the wrong tool for the job. If someone makes an effort to get a password using brute force on the login form, the captcha won't stop him. It looks rather weak, so even standard OCR software should be able to read the text without applying some special algorithms. If you really want to prevent brute force attacks, you should deny the login (based on the IP address) every twenty failed attempts in a row for five minutes or something similar. As brute force involves testing a huge number of passwords, an attacker does not get very far with 240 passwords per hour, but a user who has forgotten his password and tries to recover it, might eventually succeed.

KeyDog wrote:

you think its likely that they easily bypass via own openid provider?

I think, it is more likely that someone breaks the captcha. As noted above, it is not very strong, so breaking it does not require huge efforts. In addition, a captcha nowadays is a common obstacle, so attackers are already prepared to break it. OpenID, on the other hand, still is rather unknown, and I can't yet imagine an attacker, that is prepared to use it, for example by operating a provider that successfully authenticates every request to simulate a huge number of users.

KeyDog wrote:

maybe options could be added to captcha ext
a.  disable for openId registrations
b.  disable for openId log ins....

That's the question. Should the antispam extension detect the presence of the OpenID extension, ask the OpenID extension if an OpenID request was received and in that case disable itself, or should the OpenID extension detect the presence of the antispam extension, and use its hooks to bypass the captcha? In my opinion, the latter option makes more sense (given that the hooks are at the right spots), but at the moment I won't implement it. Time is always short, so I have to concentrate on the important things, and as I personally would not use the antispam extension in the current state (weak captcha, captcha on login form), it can't be considered important. However, patches are welcome.

Edit: But I made one small change: My code removed too much markup responsible for displaying "required" at form fields, so for example the captcha input field does not look like it should. The new code will remove it only from the necessary fields. The change has already been comitted to the Git repository and will be in the next release.