Feature #35755

Drop OpenID support

Added by Go MAEDA about 1 year ago. Updated 4 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Go MAEDA% Done:

0%

Category:OpenID
Target version:5.0.0
Resolution:Fixed

Description

Redmine currently supports OpenID authentication.

However, OpenId was obsoleted by OpenID Connect some years ago and most OpenID providers discontinued their services. Now it is very difficult to find a web service with an OpenID provider service. This means that it is difficult for Redmine users to start using OpenID login. And it is not easy for us to test if Redmine's OpenID support is working properly.

Given this situation, probably very few users are using OpenID login in Redmine. I think it is time to remove OpenID support from Redmine.

0001-Drop-OpenID-authentication-support.patch Magnifier (125 KB) Go MAEDA, 2021-09-05 09:28


Related issues

Related to Redmine - Defect #35688: OpenIdAuthentication alias_method_chain Closed
Related to Redmine - Defect #32293: Redmine does not start if optional openid gems are not in... Closed
Related to Redmine - Feature #699: OpenID login Closed 2008-02-20
Related to Redmine - Defect #36326: Missing div tag in views page Closed
Related to Redmine - Defect #37609: Remove obsolete remnant public/images/openid-bg.gif Closed

Associated revisions

Revision 21312
Added by Go MAEDA 10 months ago

Drop OpenID support (#35755).

Patch by Go MAEDA.

Revision 21314
Added by Go MAEDA 10 months ago

Remove empty files (#35755).

Revision 21318
Added by Go MAEDA 10 months ago

Fix a missing closing div due to r21312 (#35755, #36326).

Contributed by Enziin System.

History

#1 Updated by Mischa The Evil about 1 year ago

Go MAEDA wrote:

However, OpenId was obsoleted by OpenID Connect some years ago [...]

I hadn't noticed that change.

Go MAEDA wrote:

[...] And it is not easy for us to test if Redmine's OpenID support is working properly.

Well, AFAIK it isn't working OOTB properly at least. And that already for 10(+) years. See #3780, #5966, #11778 and the 'OpenID Fix' plugin by Andriy Lesyuk.

Go MAEDA wrote:

[...] I think it is time to remove OpenID support from Redmine.

I agree. +1. And I think that JPL would wholeheartedly agree too (given the thoughts he expressed at the time in #699#note-14)...

#2 Updated by Holger Just about 1 year ago

  • Related to Defect #35688: OpenIdAuthentication alias_method_chain added

#3 Updated by Go MAEDA about 1 year ago

Here is a patch to drop OpenID.

#4 Updated by Go MAEDA about 1 year ago

  • Related to Defect #32293: Redmine does not start if optional openid gems are not installed added

#5 Updated by Marius BALTEANU 10 months ago

  • Target version set to 5.0.0

Let's drop this.

#6 Updated by Go MAEDA 10 months ago

  • Status changed from New to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the changes. Redmine no longer supports OpenID.

#7 Updated by Go MAEDA 10 months ago

#8 Updated by Go MAEDA 10 months ago

#9 Updated by Felix Singer 5 months ago

Given this situation, probably very few users are using OpenID login in Redmine. I think it is time to remove OpenID support from Redmine.

If you don't know, then maybe you should ask your users before you do such a change. We just set up a Keycloak for our services and so we wanted to use this. Are you planning to replace it with an alternative? OAuth2?

OpenId was obsoleted by OpenID Connect some years ago and most OpenID providers discontinued their services.

How can a native function get obselete if the alternative is a 3rd party plugin? Should that be a feature or an improvement? That's a huge step backwards.

Also, looking at the pages for issues and pull requests from that OpenID Connect plugin, it looks pretty much unmaintained. So again, how can this be a proper alternative?

https://github.com/devopskube/redmine_openid_connect

Now it is very difficult to find a web service with an OpenID provider service. This means that it is difficult for Redmine users to start using OpenID login.

What? First, there are not only hosted solutions out there. You can set up your own service, see Keycloak or SimpleID. So I don't see how this could be an argument why it should be difficult to start using it. It depends on who you ask. It's very common for companies or organizations to use some sort of SSO or OpenID login, as you maybe know.

And it is not easy for us to test if Redmine's OpenID support is working properly.

As I just mentioned, you can set up your own service. So I don't get why it's not "easy" for you to test if it's working properly. There are definitely possibilities.

Please consider reverting this change or providing an alternative, e.g. login with OAuth2.

#10 Updated by bom brad 5 months ago

Your decision to drop support for OpenID is unbelievable!
I agree with Felix Singer.

#11 Updated by markus schulte 5 months ago

hey guys,
you can easily configure keycloak to be an oidc server.
and then use redmine_oidc or relevants. works like a charm!
except you dared using rm5.0. but that's a different story i guess.
cheers,
/markus

#12 Updated by Heiko Böhme 4 months ago

really ... not funny ... I actually wanted to implement OIDC / OAUTH2

is there a special plugin?

best heiko

#13 Updated by Christoffer Rumohr 4 months ago

Go MAEDA wrote:

Given this situation, probably very few users are using OpenID login in Redmine. I think it is time to remove OpenID support from Redmine.

While I completely agree with this move (OpenID != OpenID Connect) I think that proper support for OpenID Connect should be provided out of the box and not via a 3rd party plugin.

When we take a look at the network graph of the "most popular" OpenID Connect plugin on GitHub - it's a total mess. Forked several times and no maintainer took over eventually. I'm trying to integrate our Redmine installation with Keycloak right now and are completely unsure, which fork to pick.

Especially since OpenID Connect is becoming more and more popular and this functionality affects the security of a Redmine installation, the current situation is very bleak.

#14 Updated by Go MAEDA 30 days ago

  • Related to Defect #37609: Remove obsolete remnant public/images/openid-bg.gif added

Also available in: Atom PDF