Support for OpenID
The goal is to let people use OpenID to attach and log in to BOINC projects.
There are now two types of accounts on a given BOINC project:
- those authenticated with a project-specific password; a password hash is stored in the DB.
- those authenticated via an OpenID provider; the provider URL is stored in the DB.
In both cases, an email address uniquely identifies the account; OpenID can be used only with providers who return an email address and a name.
The Login page will show links to various OpenID providers as well as an email/password form.
If the user enters an email/password, and the account is an OpenID account, they get an error message.
If a user authenticates with OpenID, and an account with that email already exists but is either not an OpenID account or uses a different OpenID provider, they get an error message.
NOTE: logging in with OpenID automatically creates an account if no account with that email address exists. If an account does exist, its name and country fields are overwritten with data supplied by the OpenID provider, if any.
For users who remember their email address but forgot their OpenID provider (or it no longer exists), the "forget password?" link lets them get an email sent to their address that lets them log in, from which point they can reset things.
On the Your Account page, instead of "change email address" and "change password" links, there will be a "change login information" link. This will go to a page that:
- lets an OpenID account change to a different OpenID
- lets an OpenID account change to an email/password account
- lets an email/password account change to an OpenID account
On the "change other account info" page, OpenID accounts will not be able to edit their user name; this comes from the OpenID provider.
- On the "identify your account" page of the Attach Project wizard, add a "Log in with OpenID" button.
- Selecting this opens a web browser window.
- User sees a page on project site listing OpenID providers (Google, Facebook, etc.). User clicks one.
- The user sees the provider's login page. Depending on the provider, they may see "OK to send email addr to (project URL)?"
- On successful login, user sees Welcome page on project site
- Wizard shows Done page
- openid_login. fields: nonce, status, create_time
Project PHP pages
- openid_login.php: Manager goes here. It takes a nonce ID as an arg. It creates an openid_login record. Shows list of links to OpenID providers.
- openid_callback.php: Called by OpenID provider. Takes nonce ID as arg. Creates user record if needed. Displays status to user. Updates status field of openid_login record.
- openid_poll.php: Web RPC called by client. Takes nonce ID as arg. Returns status and, if successful, authenticator.
- openid_poll(url, nonce): initiate call to openid_poll.php
- openid_poll_poll(status): poll for completion; if success, return authenticator
If user selects OpenID login:
- create nonce ID, open browser to openid_login.php
- show "communication with project" page
- call openid_poll() and openid_poll_poll() until get status other than PENDING
- On success, do project_attach() GUI RPC using authenticator
- show success or failure in wizard