wp-openid intelligent defaults

Well, wp-openid is stabilizing and a 2.0 release is not far off, though there are still a few outstanding bugs that may get pushed off to version 2.1. I think we’ve come to a fairly stable point, have a much cleaner product, and it seems the community is anxious to have something they can drop into place. I talked with Chris a bit this weekend and did a lot of thinking about the number of configurable options, default behavior, and the like. The result is that quite a few options have been removed from the wp-openid configuration page in favor of intelligent defaults. Since this is a fairly large curveball to throw in right before a release, I figured I’d give people a couple of days to respond if they so desired.

Removed Options:

  • trust root – I’m not sure that I would have made this configurable to begin with. It’s not something a user is likely to change, nor am I completely sure that it should be changed… the WordPress home option should be appropriate.

  • create local accounts – Again, something that always seemed a little weird to me. One of my goals in this release has been to simplify the plugin where at all possible and, more importantly, to make it feel and behave like native functionality. In a normal WordPress installation, there are two ways for user accounts to be created - by an administrator in wp-admin, or by self registering at wp-register.php. Adding OpenID to WordPress should simply enable an additional authentication mechanism, not change the entire account creation paradigm. Leaving a comment and creating a local account are completely separate functions and should remain so, therefore I’ve completely removed the create local accounts options. What is enabled however, is the same thing that has always existed in WordPress… self-registration. If you have enabled the anyone can register general option, then users now have the choice of registering for a new account with a traditional username and password or simply by using an OpenID. If they have a local account and leave a comment with their OpenID, they will be logged in to that account, but accounts will never be created by virtue of leaving a comment.

  • add OpenID to login form – Previously, it was configurable whether you wanted the OpenID field to be added to the login form on wp-login.php. It is now always displayed, and the reasoning somewhat relates to the previous option. Since wp-openid completely honors the “anyone can register” option, there is no harm in displaying the OpenID field any more than there is harm in having the username and password fields. OpenID is simply another way to authenticate, it doesn’t change the fundamental way in which WordPress operates.

  • unobtrusive mode – for the sake of simplicity as well as striving for a consistent experience, “unobtrusive mode” is now the default. If the plugin is enabled, the URL field will always be checked for a valid OpenID. You still have the option of whether the plugin should modify your comment form to display the OpenID logo, or if you want to style it yourself. If you really don’t like unobtrusive mode, you can simply modify your comment form to include an additional input field named “openid_url”. If a field is present with that name, then it will be used for checking OpenIDs and the URL field will be completely left alone. (I’ll see about adding a real-world example of this later.)

New Option:

  • automatic approval – this is really more of a sample implementation of a rather generic hook into the plugin. The idea is to be able to plug in one or more trust engines that can make a decision about a particular OpenID. The current function simply approves all comments left by a user who authenticated with an OpenID. This is relatively safe for now, since I’ve not seen spammers using OpenIDs yet… as soon as they do, this option becomes useless. However, it should be relatively simple to instead hook into a simple whitelist managed within WordPress or perhaps a third-party service like BotBouncer or Jyte. In fact, I have an idea for one such service rolling around in my head, which will hopefully be integrated into a future version of the plugin.

All of this is implemented in subversion, so grab a copy from trunk and see how you like it.

Comments and responses

Have you written a response to this? Let me know the URL:

This is awesome work man! I'm thrilled about these improvements and think this will really serve to demonstrate how to do OpenID right!
Terrell Russell

This is exactly what is needed. Strong defaults with good explanations. Thanks. Keep the analysis coming.


Initially, Will, I thought you were crazy for splitting the comment loop from auto-registration. When I stopped to think about the process a little more, I realized that only Livejournal does it like that. It's completely contrary to the Wordpress comment paradigm. Thank you for fixing my mistakes. :)

hi Will,

I noticed than the FOAF / SIOC auto-discovery feature have been removed, will it be back soon ? BTW, there's a get_currentuserinfo() call in the code, which is defined nowhere.

I managed to miss this article as I was on vacation. I've tried svn truck v24319 of WP-OpenID+, and WP-Yadis (v1.2) still doesn't manage to delegate. However, if this comment appears here, it means that it does work, and that (1) I somehow flubbed the svn install, or (2) the trunk version I have is out of date. (Tested on WP 2.3.1.)
I've had a commenter tell me they were asked for either a password or an OpenID, even though I have "anyone can register" checked. Could this be because they wrote their non-OpenID blog in the space?