Topic: [Extension] OpenID 1.1.0
I'm pleased to announce my OpenID extension for PunBB, as requested in http://punbb.informer.com/forums/topic/ … -support/. It was developed as part of my bachelor thesis. It makes use of JanRain's PHP OpenID Library 2.1.3 from http://www.openidenabled.com. Though the library itself claims to support PHP 4, the extension requires PHP 5.2 due to heavy use of object-oriented features. Because of the library being backwards compatible, it triggers some warnings when using PHP 5. I have fixed those in the library shipping with the extension; otherwise, it's unchanged.
login using OpenID (more than one OpenID per account is possible, traditional password-based login too)
registration using OpenID (both SReg and AX are supported to request attributes)
add/remove OpenIDs to/from existing accounts
authentication using OpenID to change password/e-mail address (instead of entering old password)
update profile information using OpenID (again, using SReg or AX)
list of users OpenIDs in profile (private information)
administration: user search includes OpenIDs in results
administration: search for OpenIDs
English and German localisation
OpenID-only accounts: flag indicating if a valid password has been set, if not, hide all password input fields
sorting of OpenIDs: allow user to set order or select default OpenID to preselect
An attacker may learn which OpenIDs are registered and which not: a) upon login only for unregistered OpenIDs attribute requests are send, b) when adding an additional OpenID to an account, before authenticating it is first checked, if it is already registered; should this behaviour be changed to not leak any information?
CSRF form: the confirmation form provided by PunBB does not work for OpenID requests (*). However, it should never be displayed as a custom csrf token is added to each request and checked accordingly.
Timezone is not requested using AX extension: Might as well be an OP bug, as it could only be confirmed for myopenid.com, the only OP I'm aware of that supports the AX extension. Can you confirm this behaviour using another provider or do you know of any other provider supporting AX?
(*) This seems to be a rather complex issue. OPs may choose GET or POST when answering a request. When choosing POST, the csrf token that PunBB expects is (obviously) missing, so the csrf confirmation form is displayed. When PunBB generates the csrf confirmation form, it produces one hidden field per received POST parameter. But it has to add two more fields, e.g. for the csrf token. These additional fields confuse the security mechanisms of the OpenID library and the request is denied. This is most probably a library limitation and I can see no possibility for a workaround. The library uses php://input to read POST parameters, so there is no chance to remove the additional parameters before making library calls.
PunBB 1.3, 1.3.2, 1.3.4
MySQL 5.0, 5.1
1.1.0: login using XRIs, changes to data format in database, some simplified code
1.0.4: tested compatibility with PunBB 1.3.0, some minor bugs fixed
1.0.3: fixed no/wrong error message displayed when trying to log in with cookies disabled
1.0.2: fixed adding of table name prefixes
1.0.1: two minor bugs managed to hide on my todo list, fixed in this version
1.0.0: first public release
Please be aware that this is the first public release of this extension. Though I have tested everything I could think of, there may still be some bugs around, including bugs affecting the security, i.e. permitting someone to login without valid authentication etc. Feel free to use it and please report all problems you may encounter.