Allow OpenID users to select which information to send to the Relying Party
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Fix Released
|
High
|
Unassigned |
Bug Description
We currently have limited support for OpenID Simple Registration Extension where we will unconditionally send certain information (nickname, fullname, email) to certain known relying parties.
After phase 1 is complete it'd be good to improve this:
* limit the data sent to that which the RP says is required (through the openid.
* should we give the user the option to decide which pieces of data to provide (as opposed to providing everything requested or not authenticating at all)?
* decide whether some of the info we know about the user is okay to disclose to third parties with the user's permission. For this info, we should provide without checking the openid_limited_sreg config value.
Related branches
- Canonical ISD hackers: Pending requested
-
Diff: 1374 lines (+836/-182)13 files modifiedidentityprovider/forms.py (+180/-2)
identityprovider/media/ubuntu/narrow.css (+6/-1)
identityprovider/media/ubuntu/styles.css (+11/-1)
identityprovider/models/account.py (+1/-1)
identityprovider/models/openidmodels.py (+16/-1)
identityprovider/models/team.py (+19/-0)
identityprovider/templates/decide.html (+88/-10)
identityprovider/tests/test_forms.py (+250/-0)
identityprovider/tests/test_models_openidmodels.py (+17/-3)
identityprovider/tests/test_models_team.py (+43/-3)
identityprovider/tests/test_views_server.py (+68/-63)
identityprovider/tests/utils.py (+51/-0)
identityprovider/views/server.py (+86/-97)
- Ricardo Kirkner (community): Needs Fixing
-
Diff: 2117 lines (+1188/-231)21 files modified.bzrignore (+2/-0)
django_project/config_dev/urls.py (+1/-4)
identityprovider/api10/handlers.py (+11/-6)
identityprovider/fixtures/test.json (+128/-1)
identityprovider/forms.py (+178/-6)
identityprovider/media/ubuntu/narrow.css (+6/-1)
identityprovider/media/ubuntu/styles.css (+14/-2)
identityprovider/models/account.py (+1/-2)
identityprovider/models/openidmodels.py (+19/-2)
identityprovider/models/team.py (+19/-0)
identityprovider/teams.py (+4/-2)
identityprovider/templates/decide.html (+99/-12)
identityprovider/tests/test_admin.py (+5/-2)
identityprovider/tests/test_forms.py (+260/-4)
identityprovider/tests/test_models_openidmodels.py (+18/-4)
identityprovider/tests/test_models_team.py (+57/-3)
identityprovider/tests/test_views_server.py (+171/-70)
identityprovider/tests/utils.py (+51/-0)
identityprovider/views/server.py (+133/-108)
identityprovider/views/ui.py (+7/-1)
payload/__init__.py (+4/-1)
Changed in launchpad-foundations: | |
importance: | Undecided → Medium |
status: | New → Triaged |
tags: | added: 2sp |
tags: |
added: sp-2 removed: 2sp |
Changed in canonical-identity-provider: | |
milestone: | 2.7.0 → 2.8.0 |
tags: |
added: sp-5 removed: openid sp-2 |
Changed in canonical-identity-provider: | |
assignee: | Stuart Metcalfe (stuartmetcalfe) → Matthew Nuzum (newz) |
Changed in canonical-isd-qa: | |
milestone: | none → canonical-identity-provider+2.9.0 |
Changed in canonical-isd-qa: | |
importance: | Undecided → Medium |
Changed in canonical-isd-qa: | |
milestone: | canonical-identity-provider+2.9.0 → canonical-identity-provider+2.10.0 |
Changed in canonical-identity-provider: | |
importance: | Medium → High |
milestone: | 2.10.0 → for-11.04 |
Changed in canonical-identity-provider: | |
milestone: | for-11.04 → none |
tags: | added: meta633877 |
tags: |
added: proj-openit removed: meta633877 |
Changed in canonical-identity-provider: | |
assignee: | Matthew Nuzum (newz) → Stuart Metcalfe (stuartmetcalfe) |
status: | Triaged → In Progress |
Changed in canonical-identity-provider: | |
assignee: | Stuart Metcalfe (stuartmetcalfe) → Danny Tamez (zematynnad) |
tags: | added: kb-defect |
tags: |
added: kb-feature removed: kb-defect |
Changed in canonical-identity-provider: | |
status: | In Progress → Fix Committed |
Changed in canonical-identity-provider: | |
milestone: | none → 11.08.03 |
Changed in canonical-identity-provider: | |
status: | Fix Committed → Fix Released |
Changed in canonical-identity-provider: | |
assignee: | Danny Tamez (zematynnad) → nobody |
assignee: | nobody → Pyae Lin Aung (pyaelinaung2014) |
Changed in canonical-identity-provider: | |
assignee: | Pyae Lin Aung (pyaelinaung2014) → nobody |
I ended up improving the sreg code. It now limits what data it sends to that which is requested by the user.
I also removed the openid_limited_sreg configuration key in favour of per-site limits on what information may be disclosed.
So that just leaves allowing the user to pick what info to disclose (not sure whether we want this), and having a default policy for what info to disclose to unknown sites.