This product implements OpenIDConnect authentication support for Zope via a Pluggable Authentication Service plugin.
Using this package everyone with an OpenID authentity will be able to login on your Zope site. OpenID accounts are not given any extra roles beyond the standard Authenticated role. This allows you to make a distinction between people that have explicitly signed up to your site and people who are unknown but have succesfully verified their identity.
This was forked from plone.openid to support Python 3 and OpenIDConnect
This is developed with ShamOIDC as the OpenIDConnect provider.
Get that running first, then configure your local Zope instance to run against that.
TODO Update rest of document
The OpenID authentication flow goes like this:
- user submits a OpenID identity (which is a URL) to you site. This is
done through a HTTP POST using a form variable called
__ac_identity_url - the PAS plugin sees this variable during credential extraction and initiates a OpenID challenge. This results in a transaction commit and a redirect to an OpenID server.
- the OpenID server takes care of authenticating the user and redirect the user back to the Zope site.
- the OpenID PAS plugin extracts the information passed in via the OpenID server redirect and uses that in its authentication code to complete the OpenID authentication
The PAS plugin only takes care of authenticating users. In almost all environments it will be needed to also setup a session so users stay logged in when they visit another page. This can be done via a special session management PAS plugin, for example plone.session.