From e434cb154c5ccecd7fc0ce672e4de79bd9e7e06f Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sun, 22 Feb 2015 12:20:04 +0000
Subject: [PATCH] Convert OpenID authentication to generic third party
 authentication

---
 app/assets/javascripts/user.js                | 118 ++++++++++++------
 app/assets/stylesheets/common.scss            |   4 +-
 app/controllers/user_controller.rb            |  97 ++++++++------
 app/helpers/user_helper.rb                    |  12 +-
 app/models/user.rb                            |   4 +-
 app/views/user/account.html.erb               |  12 +-
 app/views/user/login.html.erb                 |  36 +++---
 app/views/user/new.html.erb                   |  51 +++-----
 config/locales/en.yml                         |  18 +--
 .../20150222101847_rename_openid_url.rb       |  11 ++
 db/structure.sql                              |  48 +++++--
 test/controllers/user_controller_test.rb      |   3 +-
 test/fixtures/users.yml                       |   3 +-
 test/integration/user_creation_test.rb        |  10 +-
 14 files changed, 253 insertions(+), 174 deletions(-)
 create mode 100644 db/migrate/20150222101847_rename_openid_url.rb

diff --git a/app/assets/javascripts/user.js b/app/assets/javascripts/user.js
index 22c2ad829..e8ad3324d 100644
--- a/app/assets/javascripts/user.js
+++ b/app/assets/javascripts/user.js
@@ -1,59 +1,95 @@
 //= require leaflet.locate
 
 $(document).ready(function () {
-  var map = L.map("map", {
-    attributionControl: false,
-    zoomControl: false
-  }).addLayer(new L.OSM.Mapnik());
+  if ($("#map").length) {
+    var map = L.map("map", {
+      attributionControl: false,
+      zoomControl: false
+    }).addLayer(new L.OSM.Mapnik());
 
-  var position = $('html').attr('dir') === 'rtl' ? 'topleft' : 'topright';
+    var position = $('html').attr('dir') === 'rtl' ? 'topleft' : 'topright';
 
-  L.OSM.zoom({position: position})
-    .addTo(map);
+    L.OSM.zoom({position: position})
+      .addTo(map);
 
-  L.control.locate({
-    position: position,
-    strings: {
-      title: I18n.t('javascripts.map.locate.title'),
-      popup: I18n.t('javascripts.map.locate.popup')
+    L.control.locate({
+      position: position,
+      strings: {
+        title: I18n.t('javascripts.map.locate.title'),
+        popup: I18n.t('javascripts.map.locate.popup')
+      }
+    }).addTo(map);
+
+    if (OSM.home) {
+      map.setView([OSM.home.lat, OSM.home.lon], 12);
+    } else {
+      map.setView([0, 0], 0);
     }
-  }).addTo(map);
 
-  if (OSM.home) {
-    map.setView([OSM.home.lat, OSM.home.lon], 12);
-  } else {
-    map.setView([0, 0], 0);
+    if ($("#map").hasClass("set_location")) {
+      var marker = L.marker([0, 0], {icon: OSM.getUserIcon()});
+
+      if (OSM.home) {
+        marker.setLatLng([OSM.home.lat, OSM.home.lon]);
+        marker.addTo(map);
+      }
+
+      map.on("click", function (e) {
+        if ($('#updatehome').is(':checked')) {
+          var zoom = map.getZoom(),
+              precision = OSM.zoomPrecision(zoom),
+              location = e.latlng.wrap();
+
+          $('#homerow').removeClass();
+          $('#home_lat').val(location.lat.toFixed(precision));
+          $('#home_lon').val(location.lng.toFixed(precision));
+
+          marker.setLatLng(e.latlng);
+          marker.addTo(map);
+        }
+      });
+    } else {
+      $("[data-user]").each(function () {
+        var user = $(this).data('user');
+        if (user.lon && user.lat) {
+          L.marker([user.lat, user.lon], {icon: OSM.getUserIcon(user.icon)}).addTo(map)
+            .bindPopup(user.description);
+        }
+      });
+    }
   }
 
-  if ($("#map").hasClass("set_location")) {
-    var marker = L.marker([0, 0], {icon: OSM.getUserIcon()});
+  function updateAuthUID() {
+    var provider = $("select#user_auth_provider").val();
 
-    if (OSM.home) {
-      marker.setLatLng([OSM.home.lat, OSM.home.lon]);
-      marker.addTo(map);
+    if (provider === "openid") {
+      $("input#user_auth_uid").show().prop("disabled", false);
+    } else {
+      $("input#user_auth_uid").hide().prop("disabled", true);
     }
+  }
 
-    map.on("click", function (e) {
-      if ($('#updatehome').is(':checked')) {
-        var zoom = map.getZoom(),
-            precision = OSM.zoomPrecision(zoom),
-            location = e.latlng.wrap();
+  updateAuthUID();
 
-        $('#homerow').removeClass();
-        $('#home_lat').val(location.lat.toFixed(precision));
-        $('#home_lon').val(location.lng.toFixed(precision));
+  $("select#user_auth_provider").on("change", updateAuthUID);
 
-        marker.setLatLng(e.latlng);
-        marker.addTo(map);
-      }
-    });
+  function enableAuth() {
+    $("#auth_prompt").hide();
+    $("#auth_field").show();
+    $("#user_auth_uid").prop("disabled", false);
+  }
+
+  function disableAuth() {
+    $("#auth_prompt").show();
+    $("#auth_field").hide();
+    $("#user_auth_uid").prop("disabled", true);
+  }
+
+  $("#auth_enable").click(enableAuth);
+
+  if ($("select#user_auth_provider").val() === "") {
+    disableAuth();
   } else {
-    $("[data-user]").each(function () {
-      var user = $(this).data('user');
-      if (user.lon && user.lat) {
-        L.marker([user.lat, user.lon], {icon: OSM.getUserIcon(user.icon)}).addTo(map)
-          .bindPopup(user.description);
-      }
-    });
+    enableAuth();
   }
 });
diff --git a/app/assets/stylesheets/common.scss b/app/assets/stylesheets/common.scss
index cbc721b3f..b4ce35d1d 100644
--- a/app/assets/stylesheets/common.scss
+++ b/app/assets/stylesheets/common.scss
@@ -1681,11 +1681,11 @@ tr.turn:hover {
 
 /* Rules for the log in page */
 
-#login_openid_buttons {
+#login_auth_buttons {
   margin-bottom: 0;
 }
 
-#login_openid_buttons li {
+#login_auth_buttons li {
   float: left;
   padding: $lineheight/4 $lineheight/2;
 }
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index b1d6c86f7..a62e58b0e 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -80,7 +80,11 @@ class UserController < ApplicationController
         @user.languages = http_accept_language.user_preferred_languages
         @user.terms_agreed = Time.now.getutc
         @user.terms_seen = true
-        @user.openid_url = nil if @user.openid_url && @user.openid_url.empty?
+
+        if @user.auth_uid.nil? || @user.auth_uid.empty?
+          @user.auth_provider = nil
+          @user.auth_uid = nil
+        end
 
         if @user.save
           flash[:piwik_goal] = PIWIK["goals"]["signup"] if defined?(PIWIK)
@@ -119,17 +123,13 @@ class UserController < ApplicationController
     @tokens = @user.oauth_tokens.authorized
 
     if params[:user] && params[:user][:display_name] && params[:user][:description]
-      if params[:user][:openid_url] &&
-         params[:user][:openid_url].length > 0 &&
-         params[:user][:openid_url] != @user.openid_url
-        # If the OpenID has changed, we want to check that it is a
-        # valid OpenID and one the user has control over before saving
-        # it as a password equivalent for the user.
-        session[:new_user_settings] = params
-        openid_url = openid_expand_url(params[:user][:openid_url])
-        redirect_to auth_path(:provider => "openid", :openid_url => openid_url, :origin => request.path)
-      else
+      if params[:user][:auth_provider].blank? ||
+         (params[:user][:auth_provider] == @user.auth_provider &&
+          params[:user][:auth_uid] == @user.auth_uid)
         update_user(@user, params)
+      else
+        session[:new_user_settings] = params
+        redirect_to auth_url(params[:user][:auth_provider], params[:user][:auth_uid])
       end
     end
   end
@@ -206,13 +206,14 @@ class UserController < ApplicationController
       else
         redirect_to :controller => "site", :action => "index"
       end
-    elsif params.key?(:openid)
+    elsif params.key?(:auth_provider) && params.key?(:auth_uid)
       @user = User.new(:email => params[:email],
                        :email_confirmation => params[:email],
                        :display_name => params[:nickname],
-                       :openid_url => params[:openid])
+                       :auth_provider => params[:auth_provider],
+                       :auth_uid => params[:auth_uid])
 
-      flash.now[:notice] = t "user.new.openid association"
+      flash.now[:notice] = t "user.new.auth association"
     else
       check_signup_allowed
     end
@@ -226,9 +227,9 @@ class UserController < ApplicationController
 
       @user.status = "pending"
 
-      if @user.openid_url.present? && @user.pass_crypt.empty?
-        # We are creating an account with OpenID and no password
-        # was specified so create a random one
+      if @user.auth_provider.present? && @user.auth_uid.present? && @user.pass_crypt.empty?
+        # We are creating an account with external authentication and
+        # no password was specified so create a random one
         @user.pass_crypt = SecureRandom.base64(16)
         @user.pass_crypt_confirmation = @user.pass_crypt
       end
@@ -236,11 +237,10 @@ class UserController < ApplicationController
       if @user.invalid?
         # Something is wrong with a new user, so rerender the form
         render :action => "new"
-      elsif @user.openid_url.present?
-        # Verify OpenID before moving on
+      elsif @user.auth_provider.present? && @user.auth_uid.present?
+        # Verify external authenticator before moving on
         session[:new_user] = @user
-        openid_url = openid_expand_url(@user.openid_url)
-        redirect_to auth_path(:provider => "openid", :openid_url => openid_url, :origin => request.path)
+        redirect_to auth_url(@user.auth_provider, @user.auth_uid)
       else
         # Save the user record
         session[:new_user] = @user
@@ -255,8 +255,7 @@ class UserController < ApplicationController
 
       if params[:openid_url].present?
         session[:remember_me] ||= params[:remember_me_openid]
-        openid_url = openid_expand_url(params[:openid_url])
-        redirect_to auth_path(:provider => "openid", :openid_url => openid_url, :origin => request.path)
+        redirect_to auth_url("openid", params[:openid_url])
       else
         session[:remember_me] ||= params[:remember_me]
         password_authentication(params[:username], params[:password])
@@ -482,11 +481,20 @@ class UserController < ApplicationController
   def auth_success
     auth_info = env["omniauth.auth"]
 
-    openid_url = auth_info[:uid]
+    provider = auth_info[:provider]
+    uid = auth_info[:uid]
     name = auth_info[:info][:name]
     email = auth_info[:info][:email]
 
-    if user = User.find_by_openid_url(openid_url)
+    case provider
+    when "openid"
+      email_verified = uid.match(%r{https://www.google.com/accounts/o8/id?(.*)}) ||
+                       uid.match(%r{https://me.yahoo.com/(.*)})
+    else
+      email_verified = false
+    end
+
+    if user = User.find_by_auth_provider_and_auth_uid(provider, uid)
       case user.status
       when "pending" then
         unconfirmed_login(user)
@@ -498,21 +506,24 @@ class UserController < ApplicationController
         failed_login t("user.login.auth failure")
       end
     elsif settings = session.delete(:new_user_settings)
-      @user.openid_url = openid_url
+      @user.auth_provider = provider
+      @user.auth_uid = uid
 
       update_user(@user, settings)
 
       redirect_to :action => "account", :display_name => @user.display_name
     elsif session[:new_user]
-      session[:new_user].openid_url = openid_url
+      session[:new_user].auth_provider = provider
+      session[:new_user].auth_uid = uid
 
-      if email == session[:new_user].email && openid_email_verified(email)
+      if email_verified && email == session[:new_user].email
         session[:new_user].status = "active"
       end
 
       redirect_to :action => "terms"
     else
-      redirect_to :action => "new", :nickname => name, :email => email, :openid => openid_url
+      redirect_to :action => "new", :nickname => name, :email => email,
+                  :auth_provider => provider, :auth_uid => uid
     end
   end
 
@@ -539,6 +550,16 @@ class UserController < ApplicationController
     end
   end
 
+  ##
+  # return the URL to use for authentication
+  def auth_url(provider, uid)
+    if provider == "openid"
+      auth_path(:provider => "openid", :openid_url => openid_expand_url(uid), :origin => request.path)
+    else
+      auth_path(:provider => provider, :origin => request.path)
+    end
+  end
+
   ##
   # special case some common OpenID providers by applying heuristics to
   # try and come up with the correct URL based on what the user entered
@@ -556,14 +577,6 @@ class UserController < ApplicationController
     end
   end
 
-  ##
-  # check if we trust an OpenID provider to return a verified
-  # email, so that we can skpi verifying it ourselves
-  def openid_email_verified(openid_url)
-    openid_url.match(%r{https://www.google.com/accounts/o8/id?(.*)}) ||
-      openid_url.match(%r{https://me.yahoo.com/(.*)})
-  end
-
   ##
   # process a successful login
   def successful_login(user)
@@ -649,7 +662,11 @@ class UserController < ApplicationController
       user.preferred_editor = params[:user][:preferred_editor]
     end
 
-    user.openid_url = nil if params[:user][:openid_url].blank?
+    if params[:user][:auth_provider].nil? || params[:user][:auth_provider].blank? ||
+       params[:user][:auth_uid].nil? || params[:user][:auth_uid].blank?
+      user.auth_provider = nil
+      user.auth_uid = nil
+    end
 
     if user.save
       set_locale
@@ -728,7 +745,9 @@ class UserController < ApplicationController
   ##
   # return permitted user parameters
   def user_params
-    params.require(:user).permit(:email, :email_confirmation, :display_name, :openid_url, :pass_crypt, :pass_crypt_confirmation)
+    params.require(:user).permit(:email, :email_confirmation, :display_name,
+                                 :auth_provider, :auth_uid,
+                                 :pass_crypt, :pass_crypt_confirmation)
   end
 
   ##
diff --git a/app/helpers/user_helper.rb b/app/helpers/user_helper.rb
index d48837166..dd4c343d8 100644
--- a/app/helpers/user_helper.rb
+++ b/app/helpers/user_helper.rb
@@ -42,18 +42,18 @@ module UserHelper
     end
   end
 
-  # OpenID support
+  # External authentication support
 
   def openid_logo
     image_tag "openid_small.png", :alt => t("user.login.openid_logo_alt"), :class => "openid_logo"
   end
 
-  def openid_button(name, url)
+  def auth_button(name, provider, options)
     link_to(
-      image_tag("#{name}.png", :alt => t("user.login.openid_providers.#{name}.alt")),
-      auth_path(:provider => "openid", :openid_url => url),
-      :class => "openid_button",
-      :title => t("user.login.openid_providers.#{name}.title")
+      image_tag("#{name}.png", :alt => t("user.login.auth_providers.#{name}.alt")),
+      auth_path(options.merge(:provider => provider)),
+      :class => "auth_button",
+      :title => t("user.login.auth_providers.#{name}.title")
     )
   end
 
diff --git a/app/models/user.rb b/app/models/user.rb
index e6a11b6bd..ac293a0bd 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -39,7 +39,6 @@ class User < ActiveRecord::Base
   validates_confirmation_of :pass_crypt # , :message => ' must match the confirmation password'
   validates_uniqueness_of :display_name, :allow_nil => true, :case_sensitive => false, :if => proc { |u| u.display_name_changed? }
   validates_uniqueness_of :email, :case_sensitive => false, :if => proc { |u| u.email_changed? }
-  validates_uniqueness_of :openid_url, :allow_nil => true
   validates_length_of :pass_crypt, :within => 8..255
   validates_length_of :display_name, :within => 3..255, :allow_nil => true
   validates_email_format_of :email, :if => proc { |u| u.email_changed? }
@@ -199,7 +198,8 @@ class User < ActiveRecord::Base
     self.image = nil
     self.email_valid = false
     self.new_email = nil
-    self.openid_url = nil
+    self.auth_provider = nil
+    self.auth_uid = nil
     self.status = "deleted"
     save
   end
diff --git a/app/views/user/account.html.erb b/app/views/user/account.html.erb
index 1cd05aba6..93ee79cb6 100644
--- a/app/views/user/account.html.erb
+++ b/app/views/user/account.html.erb
@@ -1,3 +1,7 @@
+<% content_for :head do %>
+  <%= javascript_include_tag "user" %>
+<% end %>
+
 <% content_for :heading do %>
   <h1><%= t 'user.account.my settings' %></h1>
   <ul class='secondary-actions clearfix'>
@@ -43,8 +47,9 @@
 
   <fieldset>
     <div class="form-row">
-      <label class="standard-label"><%= t 'user.account.openid.openid' %></label>
-      <%= f.text_field :openid_url, {:id => "openid_url", :class => "openid_url"} %>
+      <label class="standard-label"><%= t 'user.account.external auth' %></label>
+      <%= f.select :auth_provider, { "None" => "", "OpenID" => "openid" } %>
+      <%= f.text_field :auth_uid %>
       <span class="form-help deemphasize">(<a href="<%= t 'user.account.openid.link' %>" target="_new"><%= t 'user.account.openid.link text' %></a>)</span>
     </diV>
   </fieldset>
@@ -161,9 +166,6 @@
       <input type="checkbox" name="updatehome" value="1" <% unless @user.home_lat and @user.home_lon %> checked="checked" <% end %> id="updatehome" />
       <label class="standard-label" for="updatehome"><%= t 'user.account.update home location on click' %></label>
     </div>
-    <% content_for :head do %>
-      <%= javascript_include_tag "user" %>
-    <% end %>
     <%= content_tag "div", "", :id => "map", :class => "content_map settings_map set_location" %>
   </fieldset>
 
diff --git a/app/views/user/login.html.erb b/app/views/user/login.html.erb
index 9fdeb3ab3..0f193e896 100644
--- a/app/views/user/login.html.erb
+++ b/app/views/user/login.html.erb
@@ -38,26 +38,26 @@
 
       <fieldset class='form-divider'>
 
-        <p class='standard-label'><%= t 'user.login.with openid' %></p>
-
-        <ul class='clearfix' id="login_openid_buttons">
-          <li><%= link_to image_tag("openid.png", :alt => t("user.login.openid_providers.openid.title")), "#", :id => "openid_open_url", :title => t("user.login.openid_providers.openid.title") %></li>
-          <li><%= openid_button "google", "https://www.google.com/accounts/o8/id" %></li>
-          <li><%= openid_button "yahoo", "yahoo.com" %></li>
-          <li><%= openid_button "wordpress", "wordpress.com" %></li>
-          <li><%= openid_button "aol", "aol.com" %></li>
+        <p class='standard-label'><%= t 'user.login.with external' %></p>
+
+        <ul class='clearfix' id="login_auth_buttons">
+          <li><%= link_to image_tag("openid.png", :alt => t("user.login.auth_providers.openid.title")), "#", :id => "openid_open_url", :title => t("user.login.auth_providers.openid.title") %></li>
+          <li><%= auth_button "google", "openid", :openid_url => "https://www.google.com/accounts/o8/id" %></li>
+          <li><%= auth_button "yahoo", "openid", :openid_url => "yahoo.com" %></li>
+          <li><%= auth_button "wordpress", "openid", :openid_url => "wordpress.com" %></li>
+          <li><%= auth_button "aol", "openid", :openid_url => "aol.com" %></li>
         </ul>
 
-          <div id='login_openid_url' class='form-row'>
-            <label class="standard-label"><%= raw t 'user.login.openid', :logo => openid_logo %></label>
-            <%= text_field_tag("openid_url", "", { :tabindex => 3, :class => "openid_url" }) %>
-            <span class="minorNote">(<a href="<%= t 'user.account.openid.link' %>" target="_new"><%= t 'user.account.openid.link text' %></a>)</span>
-          </div>
+        <div id='login_openid_url' class='form-row'>
+          <label class="standard-label"><%= raw t 'user.login.openid', :logo => openid_logo %></label>
+          <%= text_field_tag("openid_url", "", { :tabindex => 3, :class => "openid_url" }) %>
+          <span class="minorNote">(<a href="<%= t 'user.account.openid.link' %>" target="_new"><%= t 'user.account.openid.link text' %></a>)</span>
+        </div>
 
-          <div class='form-row'>
-            <%= check_box_tag "remember_me_openid", "yes", false, :tabindex => 5 %>
-            <label class="standard-label" for="remember_me_openid"><%= t 'user.login.remember' %></label>
-          </div>
+        <div class='form-row'>
+          <%= check_box_tag "remember_me_openid", "yes", false, :tabindex => 5 %>
+          <label class="standard-label" for="remember_me_openid"><%= t 'user.login.remember' %></label>
+        </div>
 
         <%= submit_tag t('user.login.login_button'), :tabindex => 6, :id => "login_openid_submit" %>
 
@@ -78,7 +78,7 @@ $(document).ready(function() {
 
   $("#openid_open_url").click(function() {
     $("#openid_url").val("http://");
-    $("#login_openid_buttons").hide();
+    $("#login_auth_buttons").hide();
     $("#login_openid_url").show();
     $("#login_openid_submit").show();
   });
diff --git a/app/views/user/new.html.erb b/app/views/user/new.html.erb
index d7e9bd63d..687857bfd 100644
--- a/app/views/user/new.html.erb
+++ b/app/views/user/new.html.erb
@@ -1,3 +1,7 @@
+<% content_for :head do %>
+  <%= javascript_include_tag "user" %>
+<% end %>
+
 <% content_for :heading do %>
   <h1><%= t 'user.new.title' %></h1>
   <div class='header-illustration new-user-main'></div>
@@ -36,15 +40,16 @@
     <span class="form-help deemphasize"><%= t 'user.new.display name description' %></span>
   </fieldset>
 
-  <fieldset class="form-divider" id="openid_field">
+  <fieldset class="form-divider" id="auth_field">
     <div class="form-row">
       <label for="openid_url" class="standard-label">
-        <%= raw t 'user.new.openid', :logo => openid_logo %>
+        <%= raw t 'user.new.external auth' %>
       </label>
-      <%= text_field(:user, :openid_url, { :id => "openid_url", :tabindex => 4, :class => "openid_url" }) %>
-      <%= error_message_on(:user, :openid_url) %>
+      <%= select(:user, :auth_provider, { "None" => "", "OpenID" => "openid" }, { :default => "", :tabindex => 4 }) %>
+      <%= text_field(:user, :auth_uid, { :tabindex => 5 }) %>
+      <%= error_message_on(:user, :auth_uid) %>
     </div>
-    <span class="form-help deemphasize"><%= t 'user.new.openid no password' %></span>
+    <span class="form-help deemphasize"><%= t 'user.new.auth no password' %></span>
   </fieldset>
 
   <fieldset>
@@ -52,52 +57,26 @@
       <label for='user[pass_crypt]' class="standard-label">
         <%= t 'user.new.password' %>
       </label>
-      <%= password_field(:user, :pass_crypt, {:tabindex => 5 }) %>
+      <%= password_field(:user, :pass_crypt, { :tabindex => 6 }) %>
       <%= error_message_on(:user, :pass_crypt) %>
     </div>
     <div class="form-row">
       <label class="standard-label">
         <%= t 'user.new.confirm password' %>
       </label>
-      <%= password_field(:user, :pass_crypt_confirmation, { :tabindex => 6 }) %>
+      <%= password_field(:user, :pass_crypt_confirmation, { :tabindex => 7 }) %>
       <%= error_message_on(:user, :pass_crypt_confirmation) %>
     </div>
   </fieldset>
 
-  <div id="openid_prompt" class="form-row">
-    <%= link_to raw(t("user.new.use openid", :logo => openid_logo)), "#", :id => "openid_enable" %>
+  <div id="auth_prompt" class="form-row">
+    <%= link_to raw(t("user.new.use external auth")), "#", :id => "auth_enable" %>
   </div>
 
-  <%= submit_tag t('user.new.continue'), :tabindex => 6 %>
+  <%= submit_tag t('user.new.continue'), :tabindex => 8 %>
 <% end %>
 
 <div class='aside col6 deemphasize inner22'>
   <h4><%= t 'user.new.about.header' %></h4>
   <%= t 'user.new.about.html' %>
 </div>
-
-<script type="text/javascript">
-function enableOpenID()
-{
-  $("#openid_prompt").hide();
-  $("#openid_field").show();
-  $("#openid_url").prop("disabled", false);
-}
-
-function disableOpenID()
-{
-  $("#openid_prompt").show();
-  $("#openid_field").hide();
-  $("#openid_url").prop("disabled", true);
-}
-
-$(document).ready(function () {
-  $("#openid_enable").click(enableOpenID);
-
-  <% if params[:openid] or (@user and @user.openid_url.present?) -%>
-  enableOpenID();
-  <% else -%>
-  disableOpenID();
-  <% end -%>
-});
-</script>
diff --git a/config/locales/en.yml b/config/locales/en.yml
index c58ee0db5..e82fbdf02 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -1681,7 +1681,7 @@ en:
       login_button: "Login"
       register now: Register now
       with username: "Already have an OpenStreetMap account? Please login with your username and password:"
-      with openid: "Alternatively, use OpenID to login:"
+      with external: "Alternatively, use a third party to login:"
       new to osm: New to OpenStreetMap?
       to make changes: To make changes to the OpenStreetMap data, you must have an account.
       create account minute: Create an account. It only takes a minute.
@@ -1690,7 +1690,7 @@ en:
       account is suspended: Sorry, your account has been suspended due to suspicious activity.<br />Please contact the <a href="%{webmaster}">webmaster</a> if you wish to discuss this.
       auth failure: "Sorry, could not log in with those details."
       openid_logo_alt: "Log in with an OpenID"
-      openid_providers:
+      auth_providers:
         openid:
           title: Login with OpenID
           alt: Login with an OpenID URL
@@ -1742,19 +1742,19 @@ en:
       not displayed publicly: 'Not displayed publicly (see <a href="http://wiki.openstreetmap.org/wiki/Privacy_Policy" title="wiki privacy policy including section on email addresses">privacy policy</a>)'
       display name: "Display Name:"
       display name description: "Your publicly displayed username. You can change this later in the preferences."
-      openid: "%{logo} OpenID:"
+      external auth: "Third Party Authentication:"
       password: "Password:"
       confirm password: "Confirm Password:"
-      use openid: "Alternatively, use %{logo} OpenID to login"
-      openid no password: "With OpenID a password is not required, but some extra tools or server may still need one."
-      openid association: |
-        <p>Your OpenID is not associated with a OpenStreetMap account yet.</p>
+      use external auth: "Alternatively, use a third party to login"
+      auth no password: "With third party authentication a password is not required, but some extra tools or server may still need one."
+      auth association: |
+        <p>Your ID is not associated with a OpenStreetMap account yet.</p>
         <ul>
           <li>If you are new to OpenStreetMap, please create a new account using the form below.</li>
           <li>
             If you already have an account, you can login to your account
             using your username and password and then associate the account
-            with your OpenID in your user settings.
+            with your ID in your user settings.
           </li>
         </ul>
       continue: Sign Up
@@ -1857,8 +1857,8 @@ en:
       current email address: "Current Email Address:"
       new email address: "New Email Address:"
       email never displayed publicly: "(never displayed publicly)"
+      external auth: "External Authentication:"
       openid:
-        openid: "OpenID:"
         link: "http://wiki.openstreetmap.org/wiki/OpenID"
         link text: "what is this?"
       public editing:
diff --git a/db/migrate/20150222101847_rename_openid_url.rb b/db/migrate/20150222101847_rename_openid_url.rb
new file mode 100644
index 000000000..b0735b746
--- /dev/null
+++ b/db/migrate/20150222101847_rename_openid_url.rb
@@ -0,0 +1,11 @@
+class RenameOpenidUrl < ActiveRecord::Migration
+  def change
+    rename_column :users, :openid_url, :auth_uid
+    add_column :users, :auth_provider, :string
+
+    User.where.not(:auth_uid => nil).update_all(:auth_provider => "openid")
+
+    add_index :users, [:auth_provider, :auth_uid], :unique => true, :name => "users_auth_idx"
+    remove_index :users, :column => :auth_uid, :unique => true, :name => "user_openid_url_idx"
+  end
+end
diff --git a/db/structure.sql b/db/structure.sql
index 8e76de516..a084ee624 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -120,6 +120,33 @@ CREATE TYPE user_status_enum AS ENUM (
 );
 
 
+--
+-- Name: maptile_for_point(bigint, bigint, integer); Type: FUNCTION; Schema: public; Owner: -
+--
+
+CREATE FUNCTION maptile_for_point(bigint, bigint, integer) RETURNS integer
+    LANGUAGE c STRICT
+    AS '/srv/www/omniauth.osm.compton.nu/db/functions/libpgosm.so', 'maptile_for_point';
+
+
+--
+-- Name: tile_for_point(integer, integer); Type: FUNCTION; Schema: public; Owner: -
+--
+
+CREATE FUNCTION tile_for_point(integer, integer) RETURNS bigint
+    LANGUAGE c STRICT
+    AS '/srv/www/omniauth.osm.compton.nu/db/functions/libpgosm.so', 'tile_for_point';
+
+
+--
+-- Name: xid_to_int4(xid); Type: FUNCTION; Schema: public; Owner: -
+--
+
+CREATE FUNCTION xid_to_int4(xid) RETURNS integer
+    LANGUAGE c IMMUTABLE STRICT
+    AS '/srv/www/omniauth.osm.compton.nu/db/functions/libpgosm.so', 'xid_to_int4';
+
+
 SET default_tablespace = '';
 
 SET default_with_oids = false;
@@ -1080,7 +1107,7 @@ CREATE TABLE users (
     status user_status_enum DEFAULT 'pending'::user_status_enum NOT NULL,
     terms_agreed timestamp without time zone,
     consider_pd boolean DEFAULT false NOT NULL,
-    openid_url character varying,
+    auth_uid character varying,
     preferred_editor character varying,
     terms_seen boolean DEFAULT false NOT NULL,
     description_format format_enum DEFAULT 'markdown'::format_enum NOT NULL,
@@ -1089,7 +1116,8 @@ CREATE TABLE users (
     traces_count integer DEFAULT 0 NOT NULL,
     diary_entries_count integer DEFAULT 0 NOT NULL,
     image_use_gravatar boolean DEFAULT true NOT NULL,
-    image_content_type character varying
+    image_content_type character varying,
+    auth_provider character varying
 );
 
 
@@ -1943,13 +1971,6 @@ CREATE UNIQUE INDEX unique_schema_migrations ON schema_migrations USING btree (v
 CREATE INDEX user_id_idx ON friends USING btree (friend_user_id);
 
 
---
--- Name: user_openid_url_idx; Type: INDEX; Schema: public; Owner: -; Tablespace: 
---
-
-CREATE UNIQUE INDEX user_openid_url_idx ON users USING btree (openid_url);
-
-
 --
 -- Name: user_roles_id_role_unique; Type: INDEX; Schema: public; Owner: -; Tablespace: 
 --
@@ -1971,6 +1992,13 @@ CREATE UNIQUE INDEX user_tokens_token_idx ON user_tokens USING btree (token);
 CREATE INDEX user_tokens_user_id_idx ON user_tokens USING btree (user_id);
 
 
+--
+-- Name: users_auth_idx; Type: INDEX; Schema: public; Owner: -; Tablespace: 
+--
+
+CREATE UNIQUE INDEX users_auth_idx ON users USING btree (auth_provider, auth_uid);
+
+
 --
 -- Name: users_display_name_idx; Type: INDEX; Schema: public; Owner: -; Tablespace: 
 --
@@ -2518,6 +2546,8 @@ INSERT INTO schema_migrations (version) VALUES ('20150110152606');
 
 INSERT INTO schema_migrations (version) VALUES ('20150111192335');
 
+INSERT INTO schema_migrations (version) VALUES ('20150222101847');
+
 INSERT INTO schema_migrations (version) VALUES ('21');
 
 INSERT INTO schema_migrations (version) VALUES ('22');
diff --git a/test/controllers/user_controller_test.rb b/test/controllers/user_controller_test.rb
index 7b5f77d62..4bc52f8d4 100644
--- a/test/controllers/user_controller_test.rb
+++ b/test/controllers/user_controller_test.rb
@@ -886,7 +886,8 @@ class UserControllerTest < ActionController::TestCase
     assert_equal false, user.image.file?
     assert_equal false, user.email_valid
     assert_nil user.new_email
-    assert_nil user.openid_url
+    assert_nil user.auth_provider
+    assert_nil user.auth_uid
     assert_equal "deleted", user.status
   end
 end
diff --git a/test/fixtures/users.yml b/test/fixtures/users.yml
index d5bdcd978..8835379e2 100644
--- a/test/fixtures/users.yml
+++ b/test/fixtures/users.yml
@@ -107,7 +107,8 @@ openid_user:
   creation_time: "2008-05-01 01:23:45"
   display_name: openIDuser
   data_public: true
-  openid_url: http://localhost:1123/john.doe
+  auth_provider: openid
+  auth_uid: http://localhost:1123/john.doe
   terms_agreed: "2010-01-01 11:22:33"
   terms_seen: true
   languages: en
diff --git a/test/integration/user_creation_test.rb b/test/integration/user_creation_test.rb
index ce9eec5af..64f298ba1 100644
--- a/test/integration/user_creation_test.rb
+++ b/test/integration/user_creation_test.rb
@@ -156,7 +156,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest
     assert_difference("User.count") do
       assert_difference("ActionMailer::Base.deliveries.size", 1) do
         post "/user/new",
-             :user => { :email => new_email, :email_confirmation => new_email, :display_name => display_name, :openid_url => "http://localhost:1123/new.tester", :pass_crypt => "", :pass_crypt_confirmation => "" }
+             :user => { :email => new_email, :email_confirmation => new_email, :display_name => display_name, :auth_provider => "openid", :auth_uid => "http://localhost:1123/new.tester", :pass_crypt => "", :pass_crypt_confirmation => "" }
         assert_response :redirect
         assert_redirected_to auth_path(:provider => "openid", :openid_url => "http://localhost:1123/new.tester", :origin => "/user/new")
         follow_redirect!
@@ -166,7 +166,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest
         assert_response :redirect
         assert_redirected_to "/user/terms"
         post "/user/save",
-             :user => { :email => new_email, :email_confirmation => new_email, :display_name => display_name, :openid_url => "http://localhost:1123/new.tester", :pass_crypt => password, :pass_crypt_confirmation => password }
+             :user => { :email => new_email, :email_confirmation => new_email, :display_name => display_name, :auth_provider => "openid", :auth_uid => "http://localhost:1123/new.tester", :pass_crypt => password, :pass_crypt_confirmation => password }
         assert_response :redirect
         follow_redirect!
       end
@@ -187,7 +187,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest
     assert_difference("User.count", 0) do
       assert_difference("ActionMailer::Base.deliveries.size", 0) do
         post "/user/new",
-             :user => { :email => new_email, :email_confirmation => new_email, :display_name => display_name, :openid_url => "http://localhost:1123/new.tester", :pass_crypt => "", :pass_crypt_confirmation => "" }
+             :user => { :email => new_email, :email_confirmation => new_email, :display_name => display_name, :auth_provider => "openid", :auth_uid => "http://localhost:1123/new.tester", :pass_crypt => "", :pass_crypt_confirmation => "" }
         assert_response :redirect
         assert_redirected_to auth_path(:provider => "openid", :openid_url => "http://localhost:1123/new.tester", :origin => "/user/new")
         follow_redirect!
@@ -217,7 +217,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest
     assert_difference("User.count") do
       assert_difference("ActionMailer::Base.deliveries.size", 1) do
         post "/user/new",
-             :user => { :email => new_email, :email_confirmation => new_email, :display_name => display_name, :openid_url => "http://localhost:1123/new.tester", :pass_crypt => "", :pass_crypt_confirmation => "" }, :referer => referer
+             :user => { :email => new_email, :email_confirmation => new_email, :display_name => display_name, :auth_provider => "openid", :auth_uid => "http://localhost:1123/new.tester", :pass_crypt => "", :pass_crypt_confirmation => "" }, :referer => referer
         assert_response :redirect
         assert_redirected_to auth_path(:provider => "openid", :openid_url => "http://localhost:1123/new.tester", :origin => "/user/new")
         follow_redirect!
@@ -227,7 +227,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest
         assert_response :redirect
         assert_redirected_to "/user/terms"
         post_via_redirect "/user/save",
-                          :user => { :email => new_email, :email_confirmation => new_email, :display_name => display_name, :openid_url => "http://localhost:1123/new.tester", :pass_crypt => "testtest", :pass_crypt_confirmation => "testtest" }
+                          :user => { :email => new_email, :email_confirmation => new_email, :display_name => display_name, :auth_provider => "openid", :auth_uid => "http://localhost:1123/new.tester", :pass_crypt => "testtest", :pass_crypt_confirmation => "testtest" }
       end
     end
 
-- 
2.43.2