[BUGFIX] Make OpenID login work with identifier select 73/21373/13
authorChristian Weiske <cweiske@cweiske.de>
Wed, 12 Jun 2013 19:23:06 +0000 (21:23 +0200)
committerStefan Neufeind <typo3.neufeind@speedpartner.de>
Mon, 21 Oct 2013 08:04:59 +0000 (10:04 +0200)
The OpenID protocol has an option which is called
identifier_select which let's the OpenID provider
return the unique OpenID identifier for a user.
A notable example is Google:
Their OpenID for all users is https://www.google.com/accounts/o8/id
while the actual OpenID identity is different, e.g.
https://www.google.com/accounts/o8/id?id=AItOawm2w
(for users without a google+ profile).

Because of this, we cannot verify that the OpenID URL
given by the user during login exists in our database
before starting the OpenID process.
Instead, we first need to run the OpenID process
to get the final OpenID identifier of the user and
only then check if a user with that ID exists
in our database.

This change also also introduces a new field in the
backend login form, "openid_url". The field is needed
to cleanly distinguish OpenID from normal logins,
to make full OpenID URL normalization possible
(i.e. adding http:// automatically if missing).

Resolves: #25322
Releases: 6.2
Change-Id: Id31238760fe4e58e2a823beddaeb454ba28d59be
Reviewed-on: https://review.typo3.org/21373
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Christian Weiske
Tested-by: Christian Weiske
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
typo3/sysext/backend/Classes/Controller/LoginController.php
typo3/sysext/openid/Classes/Exception.php [new file with mode: 0644]
typo3/sysext/openid/Classes/OpenidService.php
typo3/sysext/openid/Classes/Wizard.php
typo3/sysext/openid/ext_localconf.php
typo3/sysext/rsaauth/Classes/RsaAuthService.php
typo3/sysext/t3skin/Resources/Private/Templates/login.html
typo3/sysext/t3skin/Resources/Public/JavaScript/login.js

index 46f4a8d..5630d38 100644 (file)
@@ -68,6 +68,11 @@ class LoginController {
         */
        public $p;
 
+       /**
+        * OpenID URL submitted by form
+        */
+       protected $openIdUrl;
+
        // GPvar: If "L" is "OUT", then any logged in used is logged out. If redirect_url is given, we redirect to it
        /**
         * @todo Define visibility
@@ -159,6 +164,7 @@ class LoginController {
                if (GeneralUtility::getIndpEnv('TYPO3_SSL')) {
                        $this->u = GeneralUtility::_GP('u');
                        $this->p = GeneralUtility::_GP('p');
+                       $this->openIdUrl = GeneralUtility::_GP('openid_url');
                }
                // If "L" is "OUT", then any logged in is logged out. If redirect_url is given, we redirect to it
                $this->L = GeneralUtility::_GP('L');
@@ -255,6 +261,7 @@ class LoginController {
                $markers = array(
                        'VALUE_USERNAME' => htmlspecialchars($this->u),
                        'VALUE_PASSWORD' => htmlspecialchars($this->p),
+                       'VALUE_OPENID_URL' => htmlspecialchars($this->openIdUrl),
                        'VALUE_SUBMIT' => $GLOBALS['LANG']->getLL('labels.submitLogin', TRUE)
                );
                // Show an error message if the login command was successful already, otherwise remove the subpart
diff --git a/typo3/sysext/openid/Classes/Exception.php b/typo3/sysext/openid/Classes/Exception.php
new file mode 100644 (file)
index 0000000..b5d281c
--- /dev/null
@@ -0,0 +1,32 @@
+<?php
+namespace TYPO3\CMS\Openid;
+
+/***************************************************************
+ *  Copyright notice
+ *
+ *  (c) 2013 Helmut Hummel <helmut.hummel@typo3.org>
+ *  All rights reserved
+ *
+ *  This script is part of the TYPO3 project. The TYPO3 project is
+ *  free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  The GNU General Public License can be found at
+ *  http://www.gnu.org/copyleft/gpl.html.
+ *
+ *  This script is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  This copyright notice MUST APPEAR in all copies of the script!
+ ***************************************************************/
+
+/**
+ * Excpetion thrown if something went wrong during OpenID handshake
+ */
+class Exception extends \TYPO3\CMS\Core\Exception {
+
+}
\ No newline at end of file
index 0f2e35b..f219cdb 100644 (file)
@@ -53,11 +53,6 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
        protected $authenticationInformation = array();
 
        /**
-        * OpenID identifier after it has been normalized.
-        */
-       protected $openIDIdentifier;
-
-       /**
         * OpenID response object. It is initialized when OpenID provider returns
         * with success/failure response to us.
         *
@@ -142,18 +137,46 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
                // Store login and authetication data
                $this->loginData = $loginData;
                $this->authenticationInformation = $authenticationInformation;
-               // Implement normalization according to OpenID 2.0 specification
-               $this->openIDIdentifier = $this->normalizeOpenID($this->loginData['uname']);
                // If we are here after authentication by the OpenID server, get its response.
-               if (\TYPO3\CMS\Core\Utility\GeneralUtility::_GP('tx_openid_mode') == 'finish' && $this->openIDResponse == NULL) {
+               if (\TYPO3\CMS\Core\Utility\GeneralUtility::_GP('tx_openid_mode') === 'finish' && $this->openIDResponse === NULL) {
                        $this->includePHPOpenIDLibrary();
                        $openIDConsumer = $this->getOpenIDConsumer();
-                       $this->openIDResponse = $openIDConsumer->complete($this->getReturnURL());
+                       $this->openIDResponse = $openIDConsumer->complete($this->getReturnURL(GeneralUtility::_GP('tx_openid_claimed')));
                }
                $this->parentObject = $parentObject;
        }
 
        /**
+        * Process the submitted OpenID URL if valid.
+        *
+        * @param array $loginData Credentials that are submitted and potentially modified by other services
+        * @param string $passwordTransmissionStrategy Keyword of how the password has been hashed or encrypted before submission
+        * @return boolean
+        */
+       public function processLoginData(array &$loginData, $passwordTransmissionStrategy) {
+               $isProcessed = FALSE;
+               // Pre-process the login only if no password has been submitted
+               if (empty($loginData['uident_text'])) {
+                       try {
+                               $openIdUrl = GeneralUtility::_POST('openid_url');
+                               if (!empty($openIdUrl)) {
+                                       $loginData['uident_openid'] = $this->normalizeOpenID($openIdUrl);
+                                       $isProcessed = TRUE;
+                               } elseif (!empty($loginData['uname'])) {
+                                       // It might be the case that during frontend login the OpenID URL is submitted in the username field
+                                       // Since we are a low priority service, and no password has been submitted it is OK to just asume
+                                       // we might have gotten an OpenID URL
+                                       $loginData['uident_openid'] = $this->normalizeOpenID($loginData['uname']);
+                                       $isProcessed = TRUE;
+                               }
+                       } catch (Exception $e) {
+                               $this->writeLog($e->getMessage());
+                       }
+               }
+               return $isProcessed;
+       }
+
+       /**
         * This function returns the user record back to the AbstractUserAuthentication.
         * It does not mean that user is authenticated, it means only that user is found. This
         * function makes sure that user cannot be authenticated by any other service
@@ -162,37 +185,35 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
         * @return mixed User record (content of fe_users/be_users as appropriate for the current mode)
         */
        public function getUser() {
+               if ($this->loginData['status'] !== 'login') {
+                       return NULL;
+               }
                $userRecord = NULL;
-               if ($this->loginData['status'] === 'login') {
-                       if ($this->openIDResponse instanceof \Auth_OpenID_ConsumerResponse) {
-                               $GLOBALS['BACK_PATH'] = $this->getBackPath();
-                               // We are running inside the OpenID return script
-                               // Note: we cannot use $this->openIDResponse->getDisplayIdentifier()
-                               // because it may return a different identifier. For example,
-                               // LiveJournal server converts all underscore characters in the
-                               // original identfier to dashes.
-                               if ($this->openIDResponse->status === Auth_OpenID_SUCCESS) {
-                                       $openIDIdentifier = $this->getFinalOpenIDIdentifier();
-                                       if ($openIDIdentifier) {
-                                               $userRecord = $this->getUserRecord($openIDIdentifier);
-                                               if ($userRecord != NULL) {
-                                                       $this->writeLog('User \'%s\' logged in with OpenID \'%s\'', $userRecord[$this->parentObject->formfield_uname], $openIDIdentifier);
-                                               } else {
-                                                       $this->writeLog('Failed to login user using OpenID \'%s\'', $openIDIdentifier);
-                                               }
+               if ($this->openIDResponse instanceof \Auth_OpenID_ConsumerResponse) {
+                       $GLOBALS['BACK_PATH'] = $this->getBackPath();
+                       // We are running inside the OpenID return script
+                       // Note: we cannot use $this->openIDResponse->getDisplayIdentifier()
+                       // because it may return a different identifier. For example,
+                       // LiveJournal server converts all underscore characters in the
+                       // original identfier to dashes.
+                       if ($this->openIDResponse->status === Auth_OpenID_SUCCESS) {
+                               $openIDIdentifier = $this->getFinalOpenIDIdentifier();
+                               if ($openIDIdentifier) {
+                                       $userRecord = $this->getUserRecord($openIDIdentifier);
+                                       if (!empty($userRecord) && is_array($userRecord)) {
+                                               // The above function will return user record from the OpenID. It means that
+                                               // user actually tried to authenticate using his OpenID. In this case
+                                               // we must change the password in the record to a long random string so
+                                               // that this user cannot be authenticated with other service.
+                                               $userRecord[$this->authenticationInformation['db_user']['userident_column']] = GeneralUtility::getRandomHexString(42);
+                                               $this->writeLog('User \'%s\' logged in with OpenID \'%s\'', $userRecord[$this->parentObject->formfield_uname], $openIDIdentifier);
+                                       } else {
+                                               $this->writeLog('Failed to login user using OpenID \'%s\'', $openIDIdentifier);
                                        }
                                }
-                       } else {
-                               // Here if user just started authentication
-                               $userRecord = $this->getUserRecord($this->openIDIdentifier);
-                       }
-                       // The above function will return user record from the OpenID. It means that
-                       // user actually tried to authenticate using his OpenID. In this case
-                       // we must change the password in the record to a long random string so
-                       // that this user cannot be authenticated with other service.
-                       if (is_array($userRecord)) {
-                               $userRecord[$this->authenticationInformation['db_user']['userident_column']] = GeneralUtility::getRandomHexString(42);
                        }
+               } elseif (!empty($this->loginData['uident_openid'])) {
+                       $this->sendOpenIDRequest($this->loginData['uident_openid']);
                }
                return $userRecord;
        }
@@ -218,20 +239,6 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
                                } else {
                                        $this->writeLog('OpenID authentication failed with code \'%s\'.', $this->openIDResponse->status);
                                }
-                       } else {
-                               // We may need to send a request to the OpenID server.
-                               // First, check if the supplied login name equals with the configured OpenID.
-                               if ($this->openIDIdentifier === $userRecord['tx_openid_openid']) {
-                                       // Next, check if the user identifier looks like an OpenID identifier.
-                                       // Prevent PHP warning in case if identifiers is not an OpenID identifier
-                                       // (not an URL).
-                                       // TODO: Improve testing here. After normalization has been added, now all identifiers will succeed here...
-                                       $urlParts = @parse_url($this->openIDIdentifier);
-                                       if (is_array($urlParts) && $urlParts['scheme'] != '' && $urlParts['host']) {
-                                               // Yes, this looks like a good OpenID. Ask OpenID server (should not return)
-                                               $this->sendOpenIDRequest();
-                                       }
-                               }
                        }
                }
                return $result;
@@ -285,9 +292,10 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
         */
        protected function getUserRecord($openIDIdentifier) {
                $record = NULL;
-               if ($openIDIdentifier) {
-                       // $openIDIdentifier always as a trailing slash because it got normalized
-                       // but tx_openid_openid possibly not so check for both alternatives in database
+               try {
+                       $openIDIdentifier = $this->normalizeOpenID($openIDIdentifier);
+                       // $openIDIdentifier always has a trailing slash
+                       // but tx_openid_openid field possibly not so check for both alternatives in database
                        $record = $this->databaseConnection->exec_SELECTgetSingleRow(
                                '*',
                                $this->authenticationInformation['db_user']['table'],
@@ -302,10 +310,10 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
                                // Make sure to work only with normalized OpenID during the whole process
                                $record['tx_openid_openid'] = $this->normalizeOpenID($record['tx_openid_openid']);
                        }
-               } else {
+               } catch (Exception $e) {
                        // This should never happen and generally means hack attempt.
                        // We just log it and do not return any records.
-                       $this->writeLog('getUserRecord is called with the empty OpenID');
+                       $this->writeLog($e->getMessage());
                }
                return $record;
        }
@@ -335,11 +343,11 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
         * This function does not return on success. If it returns, it means something
         * went totally wrong with OpenID.
         *
+        * @param string $openIDIdentifier The OpenID identifier for discovery and auth request
         * @return void
         */
-       protected function sendOpenIDRequest() {
+       protected function sendOpenIDRequest($openIDIdentifier) {
                $this->includePHPOpenIDLibrary();
-               $openIDIdentifier = $this->openIDIdentifier;
                // Initialize OpenID client system, get the consumer
                $openIDConsumer = $this->getOpenIDConsumer();
                // Begin the OpenID authentication process
@@ -355,7 +363,7 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
                // response.
                // For OpenID version 1, we *should* send a redirect. For OpenID version 2,
                // we should use a Javascript form to send a POST request to the server.
-               $returnURL = $this->getReturnURL();
+               $returnURL = $this->getReturnURL($openIDIdentifier);
                $trustedRoot = GeneralUtility::getIndpEnv('TYPO3_SITE_URL');
                if ($authenticationRequest->shouldSendRedirect()) {
                        $redirectURL = $authenticationRequest->redirectURL($trustedRoot, $returnURL);
@@ -391,9 +399,10 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
         * the OpenID server, the user will be sent to this URL to complete
         * authentication process with the current site. We send it to our script.
         *
+        * @param string $claimedIdentifier The OpenID identifier for discovery and auth request
         * @return string Return URL
         */
-       protected function getReturnURL() {
+       protected function getReturnURL($claimedIdentifier) {
                if ($this->authenticationInformation['loginType'] === 'FE') {
                        // We will use eID to send user back, create session data and
                        // return to the calling page.
@@ -410,10 +419,8 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
                }
                if (GeneralUtility::_GP('tx_openid_mode') === 'finish') {
                        $requestURL = GeneralUtility::_GP('tx_openid_location');
-                       $claimedIdentifier = GeneralUtility::_GP('tx_openid_claimed');
                } else {
                        $requestURL = GeneralUtility::getIndpEnv('TYPO3_REQUEST_URL');
-                       $claimedIdentifier = $this->openIDIdentifier;
                }
                $returnURL .= 'tx_openid_location=' . rawurlencode($requestURL) . '&' . 'tx_openid_mode=finish&' . 'tx_openid_claimed=' . rawurlencode($claimedIdentifier) . '&' . 'tx_openid_signature=' . $this->getSignature($claimedIdentifier);
                return GeneralUtility::locationHeaderUrl($returnURL);
@@ -438,8 +445,12 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
         *
         * @param string $openIDIdentifier OpenID identifier to normalize
         * @return string Normalized OpenID identifier
+        * @throws Exception
         */
        protected function normalizeOpenID($openIDIdentifier) {
+               if (empty($openIDIdentifier)) {
+                       throw new Exception('Empty OpenID Identifier given.', 1381922460);
+               }
                // Strip everything with and behind the fragment delimiter character "#"
                if (strpos($openIDIdentifier, '#') !== FALSE) {
                        $openIDIdentifier = preg_replace('/#.*$/', '', $openIDIdentifier);
@@ -448,11 +459,11 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
                if (!preg_match('#^https?://#', $openIDIdentifier)) {
                        $escapedIdentifier = $this->databaseConnection->quoteStr($openIDIdentifier, $this->authenticationInformation['db_user']['table']);
                        $condition = 'tx_openid_openid IN ('
-                                       . '\'http://' . $escapedIdentifier . '\','
-                                       . '\'http://' . $escapedIdentifier . '/\','
-                                       . '\'https://' . $escapedIdentifier . '\','
-                                       . '\'https://' . $escapedIdentifier . '/\''
-                                       . ')';
+                               . '\'http://' . $escapedIdentifier . '\','
+                               . '\'http://' . $escapedIdentifier . '/\','
+                               . '\'https://' . $escapedIdentifier . '\','
+                               . '\'https://' . $escapedIdentifier . '/\''
+                               . ')';
                        $row = $this->databaseConnection->exec_SELECTgetSingleRow(
                                'tx_openid_openid',
                                $this->authenticationInformation['db_user']['table'],
@@ -460,6 +471,11 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
                        );
                        if (is_array($row)) {
                                $openIDIdentifier = $row['tx_openid_openid'];
+                       } else {
+                               // This only happens when the OpenID provider will select the final OpenID identity
+                               // In this case we require a valid URL as we cannot guess the scheme
+                               // So we throw an Exception and do not start the OpenID handshake at all
+                               throw new Exception('Trying to authenticate with OpenID but identifier is neither found in a user record nor it is a valid URL.', 1381922465);
                        }
                }
                // An empty path component is normalized to a slash
@@ -495,7 +511,6 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
                if (!$result) {
                        $result = $this->getSignedClaimedOpenIDIdentifier();
                }
-               $result = $this->getAdjustedOpenIDIdentifier($result);
                return $result;
        }
 
@@ -514,25 +529,6 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
        }
 
        /**
-        * Adjusts the OpenID identifier to to claimed OpenID, if the only difference
-        * is in normalizing the URLs. Example:
-        * + OpenID returned from provider: https://account.provider.net/
-        * + OpenID used in TYPO3: https://account.provider.net (not normalized)
-        *
-        * @param string $openIDIdentifier The OpenID returned by the OpenID provider
-        * @return string Adjusted OpenID identifier
-        */
-       protected function getAdjustedOpenIDIdentifier($openIDIdentifier) {
-               $result = '';
-               $claimedOpenIDIdentifier = $this->getSignedClaimedOpenIDIdentifier();
-               $pattern = '#^' . preg_quote($claimedOpenIDIdentifier, '#') . '/?$#';
-               if (preg_match($pattern, $openIDIdentifier)) {
-                       $result = $claimedOpenIDIdentifier;
-               }
-               return $result;
-       }
-
-       /**
         * Obtains a value of the parameter if it is signed. If not signed, then
         * empty string is returned.
         *
index cd86f1f..00b7054 100644 (file)
@@ -78,8 +78,8 @@ class Wizard extends OpenidService {
                        $this->renderHtml();
                        return;
                } elseif (GeneralUtility::_POST('openid_url') != '') {
-                       $this->openIDIdentifier = GeneralUtility::_POST('openid_url');
-                       $this->sendOpenIDRequest();
+                       $openIDIdentifier = GeneralUtility::_POST('openid_url');
+                       $this->sendOpenIDRequest($openIDIdentifier);
 
                        // When sendOpenIDRequest() returns, there was an error
                        $flashMessageService = GeneralUtility::makeInstance(
@@ -89,7 +89,7 @@ class Wizard extends OpenidService {
                                'TYPO3\\CMS\\Core\\Messaging\\FlashMessage',
                                sprintf(
                                        $GLOBALS['LANG']->sL('LLL:EXT:openid/Resources/Private/Language/Wizard.xlf:error.setup'),
-                                       htmlspecialchars($this->openIDIdentifier)
+                                       htmlspecialchars($openIDIdentifier)
                                ),
                                $GLOBALS['LANG']->sL('LLL:EXT:openid/Resources/Private/Language/Wizard.xlf:title.error'),
                                \TYPO3\CMS\Core\Messaging\FlashMessage::ERROR
index 656083b..7a78597 100644 (file)
@@ -3,6 +3,20 @@
 if (!defined('TYPO3_MODE')) {
        die('Access denied.');
 }
+// Register OpenID pocessing service with TYPO3
+\TYPO3\CMS\Core\Utility\ExtensionManagementUtility::addService($_EXTKEY, 'auth', 'tx_openid_service_process', array(
+       'title' => 'OpenID Authentication',
+       'description' => 'OpenID processing login information service for Frontend and Backend',
+       'subtype' => 'processLoginDataBE,processLoginDataFE',
+       'available' => TRUE,
+       'priority' => 35,
+       // Must be lower than for \TYPO3\CMS\Sv\AuthenticationService (50) to let other processing take place before
+       'quality' => 50,
+       'os' => '',
+       'exec' => '',
+       'className' => 'TYPO3\\CMS\\Openid\\OpenidService'
+));
+
 // Register OpenID authentication service with TYPO3
 \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::addService($_EXTKEY, 'auth', 'tx_openid_service', array(
        'title' => 'OpenID Authentication',
@@ -10,7 +24,7 @@ if (!defined('TYPO3_MODE')) {
        'subtype' => 'getUserFE,authUserFE,getUserBE,authUserBE',
        'available' => TRUE,
        'priority' => 75,
-       // Must be higher than for \TYPO3\CMS\Sv\AuthenticationService (50) or \TYPO3\CMS\Sv\AuthenticationService will deny request unconditionally
+       // Must be higher than for \TYPO3\CMS\Sv\AuthenticationService (50) or \TYPO3\CMS\Sv\AuthenticationService will log failed login attempts
        'quality' => 50,
        'os' => '',
        'exec' => '',
index 2a4aaa8..6e75555 100644 (file)
@@ -86,7 +86,7 @@ class RsaAuthService extends \TYPO3\CMS\Sv\AuthenticationService {
                        if ($key != NULL && substr($password, 0, 4) === 'rsa:') {
                                // Decode password and store it in loginData
                                $decryptedPassword = $this->backend->decrypt($key, substr($password, 4));
-                               if ($decryptedPassword != NULL) {
+                               if ($decryptedPassword !== NULL) {
                                        $loginData['uident_text'] = $decryptedPassword;
                                        $isProcessed = TRUE;
                                } else {
index eec27c2..74602d2 100644 (file)
@@ -78,7 +78,7 @@
 <!-- ###LOGIN_ERROR### end -->
 
 <div id="t3-login-form-fields" class="###CSS_OPENIDCLASS###">
-       <div class="t3-login-field">
+       <div class="t3-login-field" id="t3-login-username-section">
                <input type="text" id="t3-username" name="username" value="###VALUE_USERNAME###" placeholder="###LABEL_USERNAME###" class="t3-username" autofocus="autofocus" />
 
                <div class="t3-login-clearInputField">
                        <img src="sysext/t3skin/icons/login_capslock.gif" alt="###ERROR_CAPSLOCK###" title="###ERROR_CAPSLOCK###" />
                </div>
        </div>
+       <div class="t3-login-field" id="t3-login-openid_url-section" style="display: none">
+               <input type="text" id="openid_url" name="openid_url" value="###VALUE_OPENID_URL###" placeholder="###LABEL_OPENID###" class="t3-openidurl" />
+
+               <div class="t3-login-clearInputField">
+                       <a id="openid_url-clearIcon" style="display: none;">
+                               <img src="sysext/t3skin/icons/common-input-clear.png" alt="###CLEAR###" title="###CLEAR###" />
+                       </a>
+               </div>
+       </div>
        <div class="t3-login-field clearfix">
                <!-- ###INTERFACE_SELECTOR### begin -->
                <div class="t3-login-interface" id="t3-login-interface-section">
index c9d8d7f..3040652 100644 (file)
@@ -53,7 +53,7 @@ TYPO3BackendLogin = {
                        );
                }
 
-               $A(['t3-username', 't3-password']).each(function(value) {
+               $A(['t3-username', 't3-password', 'openid_url']).each(function(value) {
                        Event.observe(
                                        $(value + '-clearIcon'),
                                        'click',
@@ -125,13 +125,18 @@ TYPO3BackendLogin = {
 
                $('t3-login-form-footer-default').hide();
                $('t3-login-form-footer-openId').show();
+               $('t3-login-username-section').hide();
                $('t3-login-password-section').hide();
+               $('t3-login-openid_url-section').show();
 
                if ($('t3-login-interface-section')) {
                        $('t3-login-interface-section').hide();
                }
 
-               $('t3-username').activate();
+               $('openid_url').activate();
+               if ($('t3-username').getValue() == '') {
+                       $('t3-username').setValue('openid_url');
+               }
 
                TYPO3BackendLogin.setLogintypeCookie('openid');
        },
@@ -142,9 +147,15 @@ TYPO3BackendLogin = {
        switchToDefault: function() {
                $('t3-login-openIdLogo').hide();
 
+               if ($('t3-username').getValue() == 'openid_url') {
+                       $('t3-username').setValue('');
+               }
+
                $('t3-login-form-footer-default').show();
                $('t3-login-form-footer-openId').hide();
+               $('t3-login-username-section').show();
                $('t3-login-password-section').show();
+               $('t3-login-openid_url-section').hide();
 
                if ($('t3-login-interface-section')) {
                        $('t3-login-interface-section').show();