Uploaded image for project: 'OpenOLAT'
  1. OpenOLAT
  2. OO-4794

Remove username dependencies from login process, make it possible to rename

    XMLWordPrintable

    Details

      Description

      The user name is a property of the identity object and can not be changed. For legacy reasons the identity.name is used as a reference in several places. 

      However, the identity.name is not really used for the login process. When performing a login, the authentication.authusername is used instead. A user can have several authentication tokens, one with a local OpenOlat password, one for LDAP, Shibboleth, oAuth, LinkedIn etc. In those authentication tokens the login name is stored together with the encrypted credential or other information necessary when authenticating agains an external system. 

      Renaming login names has been a wish for a long time, e.g. due to marriage some people insist on changing their login name. While renaming login name in the authentication.authusername is no problem at all, renaming the identity.name is not possible due to the braking references. in files, filenames and database entries. 

      The goal of this issue is to remove the users identity.name and only use the authentication.authusername instead. Technically the identity.name remains and new users will also get a identity.name, however this technical identifier will not be displayed anymore and is not the same as the authentication.authusername. It is just a technical ID that happed to be the same as the login name for old users and the database key for new users. 

       

      Following things must be done

      • Decouple login process from identity.name
      • Implement a new nickname user property that can be used instead of the identity.name
        • Populate it with existing identity.name for migration
        • Add options to populate the nickname from LDAP/Shib/oAuth Attributes or let user set it
      • Decouple user match from identity.name for authentication providers
        • LDAP
        • Shibboleth
        • oAuth
        • ...
      • Implement GUI to rename authentication.authusername
        • Make sure dependencies to other authentication tokens are handled correctly, eg. for WebDAV access, OpenOlat password caching in LDAP Provider
      • Remove identity.name from all GUI's, replace it with nickname property
      • Migration user property contexts to use the new nickname where the username has been used previously
      • Make sure it is still possible to create a user without authentication and still give some unique identifier for later identification (maybe just by email?)
      • Adapt search queries to search in all relevant authentication providers when searching by username
      • When creating a new identity, set identity.name to "U" + user.key

       

      Backward compatibility

      The default configuration uses the new identity.name scheme automatically. An opt-out configuration allows using the old scheme of using the authentication.authusername as the identity.name on identity generation (not possible to rename afterwards).

      This is configured using a global flag that can be set in the olat.local.properties

      # By default OpenOlat generates an internal identifier for identities automatically based on 
      # the database primary key with a prefix. The identifier is use in some places to link 
      # resources (mostly files) to identities. For legacy backward compatibility this identifier
      # can be set manually when creating the identity based on the users first authentication username
      # Formerly this has been known as username. Note that the identity name can not be renamed 
      # later on while authentication usernames can. 
      identity.name=auto
      identity.name.values=auto,manual
      

      When this flat is set to manual, the authentication.authusername provided on identity generation is used as identity.name for every authentication provider and also set as the nick name property (OpenOlat via REST or GUI, LDAP, Shibboleth etc). 

       

      Participant bulk import

      User import in courses and groups is often done using the username. Since the new identity.name has not the meaning of a username anymore the new nickname userproperty is supported. 

        Attachments

          Activity

            People

            Assignee:
            srosse Stéphane Rossé
            Reporter:
            gnaegi Florian Gnägi
            Tester:
            Mandy Menzel
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 days, 2 hours
                3d 2h