Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 355395

Summary: [user] OpenID auth should let in only those OpenIDs that are already attached to existing Orion accounts
Product: [ECD] Orion Reporter: John Arthorne <john.arthorne>
Component: ServerAssignee: Malgorzata Janczarska <malgorzata.tomczyk>
Status: VERIFIED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: malgorzata.tomczyk, Szymon.Brandys
Version: unspecified   
Target Milestone: 0.3 M2   
Hardware: PC   
OS: Windows 7   
Whiteboard:
Bug Depends on: 336212    
Bug Blocks:    

Description John Arthorne CLA 2011-08-22 10:32:41 EDT 
We don't enable OpenID login on orionhub and orion.eclipse.org, because that would allow anyone in the world to create a new account on those servers. However, it would be useful for those who already have accounts to associate an OpenID profile with it. One less password to worry about! Can we enable adding OpenID profiles to an existing account, while preventing new account creation view OpenID?
Comment 1 Szymon Brandys CLA 2011-08-22 11:11:11 EDT 
.

*** This bug has been marked as a duplicate of bug 336212 ***
Comment 2 John Arthorne CLA 2011-08-22 12:55:01 EDT 
On OrionHub and orion.eclipse.org, I cannot add an OpenID to my existing profile, so this is not a duplicate.
Comment 3 Szymon Brandys CLA 2011-08-23 06:02:22 EDT 
(In reply to comment #0)
> Can we enable adding
> OpenID profiles to an existing account, while preventing new account creation
> view OpenID?

Yes. We could make OpenID auth configurable to let in only those OpenIDs that are already attached to existing Orion accounts. So a user would have to add an OpenID to his account first before he starts using OpenID.
Comment 4 John Arthorne CLA 2011-08-23 08:47:31 EDT 
(In reply to comment #3)
> Yes. We could make OpenID auth configurable to let in only those OpenIDs that
> are already attached to existing Orion accounts. So a user would have to add an
> OpenID to his account first before he starts using OpenID.

Yes, that's what I was thinking. Once we give someone an account on orionhub, it would be really handy if they could later login using their OpenID profile. I figured this shouldn't be a big thing to do now that we can add OpenIDs to existing profiles.
Comment 5 Malgorzata Janczarska CLA 2011-08-29 05:25:15 EDT 
Logging in with OpenId account is dependent also on orion.auth.user.creation property, that AFAIK you are using on orionhub and orion.eclipse.org.
If creating accounts by anonymous user is not allowed user won't be able to create a new user account with OpenId as well. If user is trying to log in with an openid that is not attached to any existing Orion account he will get information: "Your authentication was successful but you are not authorized to access Orion".
For existing accounts users may add openid identifiers and use them to log in later. So this is I think what you need.
Comment 6 Szymon Brandys CLA 2011-08-29 06:22:15 EDT 
(In reply to comment #5)
> Logging in with OpenId account is dependent also on orion.auth.user.creation
> property, that AFAIK you are using on orionhub and orion.eclipse.org.
> If creating accounts by anonymous user is not allowed user won't be able to
> create a new user account with OpenId as well. If user is trying to log in with
> an openid that is not attached to any existing Orion account he will get
> information: "Your authentication was successful but you are not authorized to
> access Orion".
> For existing accounts users may add openid identifiers and use them to log in
> later. So this is I think what you need.

Recently when orion.auth.user.creation=admin is set the server prevents creating accounts by anonymous. However it is not well handled by our UI. For instance, we still show the "Create account" link and when we try to create an account we get "Undefined" error on the UI.

Moreover if orion.auth.user.creation=admin is set and one wants to use OpenID, we should still show OpenID icons on the login UI and just show a prompt to contact the administrator on an OpenId login attempt.

So there is still work to do here...
Comment 7 John Arthorne CLA 2011-08-29 11:02:41 EDT 
(In reply to comment #5)
> For existing accounts users may add openid identifiers and use them to log in
> later. So this is I think what you need.

I'm not seeing this.. For example on orion.eclipse.org, when I look at my profile page I do not see the UI to associate an OpenID with my account. Also as Szymon mentioned, the login dialog doesn't display the option to login via OpenID (for the case where an existing orion profile has added an OpenID to it).
Comment 8 Malgorzata Janczarska CLA 2011-08-30 04:30:33 EDT 
On orion.eclipse.org we have an authentication method set to FORM and this is why you don't see the OpenId icons and the external accounts section in the user profile. I tested this scenario and there are two problems already mentioned by Szymon in comment 6:
1. We still show "Create account"
2. The information that user is not authorized to use Orion is not shown on UI
I think when those two are fixed we may safely change authentication method to FORM+OpenId.
Comment 9 Malgorzata Janczarska CLA 2011-09-02 11:43:05 EDT 
(In reply to comment #8)
> 2. The information that user is not authorized to use Orion is not shown on UI
This is done, however the information is displayed on the popup window in plain text. I think it would be nicer to make is a little prettier, but I don't have ideas where to put it. Displaying on the login window would be a good idea, but at this point we are redirected to client that doesn't really have the knowledge what authentication has been performed.
Comment 10 Malgorzata Janczarska CLA 2011-09-05 07:24:04 EDT 
> 1. We still show "Create account"
This is done. I'll look for a better way to display message for comment 9 and I'll ask you to verify if we can consider this as done.
Comment 11 Malgorzata Janczarska CLA 2011-09-05 11:36:19 EDT 
> I'll look for a better way to display message for comment 9 and
> I'll ask you to verify if we can consider this as done.
The message is displayed on the login window. I had to modify server, but it works fine.
John can we say the requirements from comment 0 where fulfilled and close this bug?
Comment 12 John Arthorne CLA 2011-09-06 13:55:22 EDT 
I'd like to try it out on orion.eclipse.org. Do I need to change authentication to FORM+OpenID to test this?
Comment 13 Malgorzata Janczarska CLA 2011-09-07 04:27:09 EDT 
(In reply to comment #12)
> I'd like to try it out on orion.eclipse.org. Do I need to change authentication
> to FORM+OpenID to test this?
Yes and set (uncomment) the orion.auth.user.creation=admin preference in configuration file if it's not node already.
Comment 14 Malgorzata Janczarska CLA 2011-09-15 03:54:04 EDT 
(In reply to comment #12)
> I'd like to try it out on orion.eclipse.org. Do I need to change authentication
> to FORM+OpenID to test this?
John, did you try it? Tell me if I can close this bug.
Comment 15 John Arthorne CLA 2011-09-15 10:40:27 EDT 
I want to verify on orion.eclipse.org but other problems have prevented it. Anyway you can close this, and I can mark it VERIFIED once I confirm it is working on orion.eclipse.org.
Comment 16 Malgorzata Janczarska CLA 2011-09-16 05:09:09 EDT 
(In reply to comment #15)
> I want to verify on orion.eclipse.org but other problems have prevented it.
> Anyway you can close this, and I can mark it VERIFIED once I confirm it is
> working on orion.eclipse.org.
done
Comment 17 John Arthorne CLA 2011-09-16 10:12:21 EDT 
Verified in I20110915-2200 running on orion.eclipse.org
Comment 18 Malgorzata Janczarska CLA 2011-09-16 10:57:02 EDT 
(In reply to comment #17)
> Verified in I20110915-2200 running on orion.eclipse.org
Thanks John!