[Suggestion] Please implement OpenID
- Thread starter Lojo
- Start date
robdog
Well-known member
Sweet so that leave 2 more(Twitter and Google) that you feel are more important that OpenID.
Main Company
Active member
I'm all in for LDAP support and will help support it financially
CallieJo
Active member
Anyone find a good solution for this yet?
This is a really old suggestion, but as XenForo 2.3 implements an OAuth Provider it would be really nice if it could also support OpenID Connect - this would allow any OIDC consumer to easily connect to XenForo.
The base OAuth 2.0 intrastructure is already there, so implemnting OIDC on top of that probably should not be that complicated.
The base OAuth 2.0 intrastructure is already there, so implemnting OIDC on top of that probably should not be that complicated.
Vercingetorix
Active member
May I ask of your thoughts in hindsight?
Chromaniac
Well-known member
Hehe. I prefer using email id and password now 
Vercingetorix
Active member
Hehe. I prefer using email id and password now
Well played!May I also add that you have a great sense of humour too.
drmacfaulty
Member
I wholly agree with Kirby's post here. There is, after a long wait and much demand, finally an OAuth2 authorization framework implementation in place. I never gave it a look till now as I didn't need to implement an SSO with XenForo as an identity provider, but now I need to do so.
The current OAuth2 implementation doesn't seem to cover the authentication aspect of the users (XF as an IdP) towards a 3rd party. I couldn't find ANY documentation regarding this. It stands to reason why (in this time with all kinds of security breaches going on) they just didn't include OIDC at the same time as well. 99/100 times you need authentication as well. If you'd do it securely (or as secure as possible) at this moment in time, you'll gonna need to implement your own layer on top of OAuth2. This is something that really is a no-no for 99/100 developers as it is really complex, unless you're a security specialist (and even then...).
As there are so many good libraries available, it shouldn't be very hard to implement this as the backbone is already in place. There is another post here that says that XF relies on an old/outdated package for it's current OAuth structure. I can't confirm that (yet), because I haven't looked at that part of the code. However, if that is the case... Dear XF, please consider switching to one of the phpleague OAuth packages as they are among the best available in PHP country.
I'll probably get canned for this, but I'll have to say this regardless (with all respect and right intentions, mind!)... To hopefully get a response I'll include a reference to @Chris D here as I really think this needs some more looking at and he published said article. I have difficulties with XenForo justifying the claims made in their corresponding OAuth2 HYS thread where they state that with this, as it is, you can provide SSO (which is authentication and authorization). To put it blunt: No, in my strong opinion, this is not suitable for authentication as it currently is released. If that is the case and I'm wrong (which I'd like nothing more to be in this case), then please show me how you think this should be implemented by a 3rd party securely as I'm afraid we'll get a lot of wrong implementations and assumptions as it is currently released. With the current implementation I believe it is not possible to do authentication (which is not authorization!) securely, due to possible token replay attacks and what-not. True, a lot depends on how XenForo implemented their OAuth2 structure. However, dear XF... If I'm in the wrong (and I really hope so), please proof that it is secure as I don't think it is. Not without the OpenID Connect (or OIDC in short) layer on top (which I can't find anything about anywhere on your site/docs). Advertising that you can use this, as is, for authentication (which SSO contains), without solidly backing this up with transparent examples is, in my view, misleading. A lot of people assume OAuth2 equals authentication, but it doesn't! Not here to flame you guys, but I'm a (concerned) developer too and have worked on numerous proprietary OAuth2 implementations when OIDC wasn't there yet and I've seen it gone wrong (luckily almost always caught in time with audits) just too many times. I wouldn't wish this to happen to you as well, because I really like XenForo!
If, for any reason, I'm posting this in the wrong suggestion and I have to open another one for this, do let me know as well. There are more than one OpenID specs available (take a look at OpenID on SMF forum, which is not OIDC as I refer to), so it is kind of confusing as to what most people refer to when they say 'OpenID'. When I say OpenID, I mean OpenID Connect, which is an authentication layer on top of OAuth2's authorization framework.
The current OAuth2 implementation doesn't seem to cover the authentication aspect of the users (XF as an IdP) towards a 3rd party. I couldn't find ANY documentation regarding this. It stands to reason why (in this time with all kinds of security breaches going on) they just didn't include OIDC at the same time as well. 99/100 times you need authentication as well. If you'd do it securely (or as secure as possible) at this moment in time, you'll gonna need to implement your own layer on top of OAuth2. This is something that really is a no-no for 99/100 developers as it is really complex, unless you're a security specialist (and even then...).
As there are so many good libraries available, it shouldn't be very hard to implement this as the backbone is already in place. There is another post here that says that XF relies on an old/outdated package for it's current OAuth structure. I can't confirm that (yet), because I haven't looked at that part of the code. However, if that is the case... Dear XF, please consider switching to one of the phpleague OAuth packages as they are among the best available in PHP country.
I'll probably get canned for this, but I'll have to say this regardless (with all respect and right intentions, mind!)... To hopefully get a response I'll include a reference to @Chris D here as I really think this needs some more looking at and he published said article. I have difficulties with XenForo justifying the claims made in their corresponding OAuth2 HYS thread where they state that with this, as it is, you can provide SSO (which is authentication and authorization). To put it blunt: No, in my strong opinion, this is not suitable for authentication as it currently is released. If that is the case and I'm wrong (which I'd like nothing more to be in this case), then please show me how you think this should be implemented by a 3rd party securely as I'm afraid we'll get a lot of wrong implementations and assumptions as it is currently released. With the current implementation I believe it is not possible to do authentication (which is not authorization!) securely, due to possible token replay attacks and what-not. True, a lot depends on how XenForo implemented their OAuth2 structure. However, dear XF... If I'm in the wrong (and I really hope so), please proof that it is secure as I don't think it is. Not without the OpenID Connect (or OIDC in short) layer on top (which I can't find anything about anywhere on your site/docs). Advertising that you can use this, as is, for authentication (which SSO contains), without solidly backing this up with transparent examples is, in my view, misleading. A lot of people assume OAuth2 equals authentication, but it doesn't! Not here to flame you guys, but I'm a (concerned) developer too and have worked on numerous proprietary OAuth2 implementations when OIDC wasn't there yet and I've seen it gone wrong (luckily almost always caught in time with audits) just too many times. I wouldn't wish this to happen to you as well, because I really like XenForo!
If, for any reason, I'm posting this in the wrong suggestion and I have to open another one for this, do let me know as well. There are more than one OpenID specs available (take a look at OpenID on SMF forum, which is not OIDC as I refer to), so it is kind of confusing as to what most people refer to when they say 'OpenID'. When I say OpenID, I mean OpenID Connect, which is an authentication layer on top of OAuth2's authorization framework.
Similar threads
- Suggestion
- Question
- Suggestion