OpenID Plugin won't validate blog owners

OpenID Plugin won't validate blog owners

Postby BattleMage on Thu Jun 25, 2009 1:45 am

I'm using Lifetype with the OpenID plugin as an OpenID Provider. My Lifetype is configured to use subdomains in the form of http://{username}.domain.tld. That makes my users having http://username.domain.tld/OpenID.php as OpenIDs.
The plugin only checks if the user is allowed to login, which is always true if he has an account for any blog on the site. user2 is allowed to login under http://user1.domain.tld/admin.php. user2 must choose his own blog after logging in.
How do I get unique OpenIDs for my users so that user2 won't be able to login with user1's OpenID?
Posts: 11
Joined: Thu Apr 19, 2007 7:54 am
LifeType Version: 1.2.11 [modified]

Re: OpenID Plugin won't validate blog owners

Postby jondaley on Mon Jun 29, 2009 10:33 am

Hrm, interesting problem. Not trivially solvable.

I guess it could be solved in two ways:

1. Make it so that only users that match the {username} (and {blogname} and {blogdomain} as appropriate) can login via their own URL.

2. Change the openID plugin so it performs those additional checks.

Option 1 is nicer, since it solves your problem, and makes more sense. But that won't get done until 2.0, which is probably a long ways off, since I've had so much trouble getting 1.2.9 done.

You might be able to do part of Option 2 that would work on your site, since you are using the {username} method of subdomains, which is probably easier to get working than the {blogdomain} etc. You'd just need to make sure the username matches the subdomain part as well as logging in. (I'd check that the username matches before even checking the password).
Lifetype Expert
Posts: 6169
Joined: Thu May 20, 2004 6:19 pm
Location: Pittsburgh, PA, USA
LifeType Version: 1.2.11 devel branch

Return to General Plugin Development