## General plugins (Local): OpenID provider

local_openid_idp
Maintained by Hubert Chathi
Enables Moodle to act as an OpenID provider
528
38
Moodle 2.0, 2.1, 2.2, 2.3, 2.4

This plugin allows users to log into OpenID-enabled websites using their Moodle account.  It supports the Simple Registration (SReg) and Attribute Exchange (AX) OpenID extensions.

### Contributors

• Sat, Dec 24, 2011, 5:14 AM
Hubert - This plugin is actually a patch and I will want to review it more carefully as we are trying to discourage plugins which require patching core code. Thanks for your patience. Peace - Anthony
• Sat, Dec 24, 2011, 5:35 AM
p.s. I also think it would be helpful if the files had licensing information to make it explicit that the code is GPL.
• Tue, Feb 5, 2013, 12:01 PM
Hi,
this entry is currently unapproved.
Should we keep it here as currently being worked on, delete it or consider putting it into the "Others" category if it still doesn't conform to plugin standards?

i think : "Others" category - but we do need the GPL information.
• Tue, Feb 5, 2013, 11:13 PM
Aparup, the current version of the plugin does have GPL information, so that should be fine.
The plugin contains two patches that are optional and not required for the plugin to work. There is also an optional installation step of copying libraries into Moodle's PEAR directory. So basically, the things that are not normal plugin things are optional. IMHO, that shouldn't disqualify it as a local plugin, but if it does, then I'm fine with moving it to the "Others" category.
• Thu, Feb 7, 2013, 10:03 AM
Hi Hubert,
I've had a look and i do see the GPL.

Now that i've read it i tend to agree it its fine for the 'local' category as it won't compromise any automated installation processes. i do think that the readme should mention the plugin works fine without those steps (2 - thru 4).

In any case, publishing this now, its been too long.
• Thu, Feb 7, 2013, 10:05 AM
• Tue, Aug 20, 2013, 9:20 PM
Worthy of note: The function getBytes in local\openid_idp\openid-php\Auth\OpenID\CryptUtil.php (JanRain) attempts to read from '/dev/urandom' for maximum entropy when generating random strings.

Obviously '/dev/urandom' is unix specific and doesn't function on windows.

The workaround error message provided "Define Auth_OpenID_RAND_SOURCE as null to continue with an insecure random number generator." isn't satisfactory from a security standpoint.

I've found two (secure) workarounds (for PHP > 5.3) when running on windows.

Prior to the call to:
$f = @fopen(MCRYPT_DEV_URANDOM, "r"); 1. return bin2hex(mcrypt_create_iv($num_bytes, MCRYPT_DEV_URANDOM));
2. return openssl_random_pseudo_bytes(\$num_bytes);

Hopefully this helps someone

Cheers,

-David