--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "vendor/plugins/open_id_authentication"]
+	path = vendor/plugins/open_id_authentication
+	url = git://github.com/josh/open_id_authentication.git

--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -1,21 +1,16 @@
-# This controller handles the login/logout function of the site.  
+  require "openid"
+  require "yadis"
+# This controller handles the login/logout function of the site.
 class SessionsController < ApplicationController
   # render new.rhtml
   def new
   end
 
   def create
-    self.current_user = User.authenticate(params[:email], params[:password])
-    if logged_in?
-      if params[:remember_me] == "1"
-        self.current_user.remember_me
-        cookies[:auth_token] = { :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at }
-      end
-      redirect_back_or_default('/')
-      flash[:notice] = "Logged in successfully"
+    if using_open_id?
+      open_id_authentication(params[:openid_url])
     else
-      flash.now[:error] = "Username/password didn't match, please try again."
-      render :action => 'new'
+      password_authentication(params[:email], params[:password])
     end
   end
 
@@ -26,4 +21,61 @@ class SessionsController < ApplicationController
     flash[:notice] = "You have been logged out."
     redirect_back_or_default('/')
   end
+
+  protected
+
+  # if user doesn't exist, it gets created and activated,
+  # else if the user already exists with same identity_url, it just logs in
+  def open_id_authentication(openid_url)
+    authenticate_with_open_id(openid_url, :required => [:nickname, :email], :optional => [:fullname]) do |result, identity_url, registration|
+      if result.successful?
+        @user = User.find_or_initialize_by_identity_url(identity_url)
+        if @user.new_record?
+          @user.login = registration['nickname']
+          @user.fullname = registration['fullname']
+          @user.email = registration['email']
+          @user.save!
+          @user.activate
+        end
+        self.current_user = @user
+        successful_login
+      else
+        failed_login result.message, 'openid'
+      end
+    end
+    rescue ActiveRecord::RecordInvalid => invalid
+    flash[:error] = "This login (<strong>#{@user.login}</strong>) already exists, please <a href="+@user.identity_url+">choose a different persona or modify the current one</a>"
+
+    redirect_to login_path(:method => 'openid')
+  end
+
+  def password_authentication(email, password)
+    ##self.current_user = User.authenticate(login, password)
+    self.current_user = User.authenticate(email, password)
+    if logged_in?
+      successful_login
+    else
+      failed_login("Username/password didn't match, please try again.")
+    end
+  end
+
+  def failed_login(message = "Authentication failed.",method="")
+    if method==''
+      flash.now[:error] = message
+      render :action => 'new'
+    else
+      redirect_to login_path(:method=>method)
+      flash[:error] = message
+    end
+  end
+
+  def successful_login
+    if params[:remember_me] == "1"
+      self.current_user.remember_me
+      cookies[:auth_token] = { :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at }
+    end
+    redirect_back_or_default('/')
+    flash[:notice] = "Logged in successfully"
+  end
+
 end

--- a/app/helpers/sessions_helper.rb
+++ b/app/helpers/sessions_helper.rb
@@ -1,2 +1,21 @@
 module SessionsHelper
-end
\ No newline at end of file
+
+  # determines which form to display for login
+  def login_method
+    if params[:method]=='openid'
+      "<script  type=\"text/javascript\"> Event.observe(window, 'load',
+      function() {
+Element.toggle(\"regular_login_fields\");
+Element.toggle(\"openid_login_fields\");
+})
+    </script>"
+    end
+  end
+
+  def switch_login(title, action)
+    link_to_function title do |page|
+      page.toggle "regular_login_fields"
+      page.toggle "openid_login_fields"
+    end
+  end
+end

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -6,13 +6,13 @@ class User < ActiveRecord::Base
   has_many :repositories, :through => :committerships
   has_many :ssh_keys, :order => "id desc"
   has_many :comments
-  
+
   # Virtual attribute for the unencrypted password
   attr_accessor :password, :current_password
-  
+
   attr_protected :login
 
-  validates_presence_of     :login, :email
+  validates_presence_of     :login, :email,               :if => :password_required?
   validates_format_of       :login, :with => /^[a-z0-9\-_\.]+$/i
   validates_format_of       :email, :with => /^[^@\s]+@([\-a-z0-9]+\.)+[a-z]{2,}$/i
   validates_presence_of     :password,                   :if => :password_required?
@@ -22,14 +22,14 @@ class User < ActiveRecord::Base
   validates_length_of       :login,    :within => 3..40
   validates_length_of       :email,    :within => 3..100
   validates_uniqueness_of   :login, :email, :case_sensitive => false
-  
+
   before_save :encrypt_password
-  before_create :make_activation_code 
-  
+  before_create :make_activation_code
+
   def self.find_by_login!(name)
     find_by_login(name) || raise(ActiveRecord::RecordNotFound )
   end
-  
+
   # Authenticates a user by their login name and unencrypted password.  Returns the user or nil.
   def self.authenticate(email, password)
     u = find :first, :conditions => ['email = ? and activated_at IS NOT NULL', email] # need to get the salt
@@ -40,7 +40,7 @@ class User < ActiveRecord::Base
   def self.encrypt(password, salt)
     Digest::SHA1.hexdigest("--#{salt}--#{password}--")
   end
-  
+
   def self.generate_random_password(password_size = 12)
     characters = (("a".."z").to_a + ("0".."9").to_a) - %w[0 o i l 1]
     (0...password_size).collect do |char|
@@ -75,7 +75,7 @@ class User < ActiveRecord::Base
   end
 
   def remember_token?
-    remember_token_expires_at && Time.now.utc < remember_token_expires_at 
+    remember_token_expires_at && Time.now.utc < remember_token_expires_at
   end
 
   # These create and unset the fields required for remembering users between browser closes
@@ -98,7 +98,7 @@ class User < ActiveRecord::Base
     self.remember_token            = nil
     save(false)
   end
-  
+
   def reset_password!
     generated = User.generate_random_password
     self.password = generated
@@ -106,32 +106,36 @@ class User < ActiveRecord::Base
     self.save!
     generated
   end
-  
+
   def can_write_to?(repository)
     !!committerships.find_by_repository_id(repository.id)
   end
-  
+
   def to_param
     login
   end
-  
+
   def to_xml(opts = {})
     super({:except => [:activation_code, :crypted_password, :remember_token, :remember_token_expires_at, :salt, :ssh_key_id]}.merge(opts))
   end
 
   protected
-    # before filter 
+    # before filter
     def encrypt_password
       return if password.blank?
       self.salt = Digest::SHA1.hexdigest("--#{Time.now.to_s}--#{login}--") if new_record?
       self.crypted_password = encrypt(password)
     end
-    
+
     def password_required?
-      crypted_password.blank? || !password.blank?
+      not_openid? && (crypted_password.blank? || !password.blank?)
+    end
+
+    def not_openid?
+      identity_url.blank?
     end
-    
+
     def make_activation_code
       self.activation_code = Digest::SHA1.hexdigest( Time.now.to_s.split(//).sort_by {rand}.join )
-    end 
+    end
 end

--- a/app/views/accounts/edit.html.erb
+++ b/app/views/accounts/edit.html.erb
@@ -14,6 +14,10 @@
     <%= f.label :url, "url <small>blog etc</small>" -%><br />
     <%= f.text_field :url, :class => "text" -%>
   </p>
+  <p>
+    <%= f.label :url, "OpenID" -%><br />
+    <%= f.text_field :identity_url, :class => "text" -%>
+  </p>
   <%= f.submit "Save" -%>
 <% end -%>
 

--- a/app/views/sessions/new.html.erb
+++ b/app/views/sessions/new.html.erb
@@ -1,9 +1,11 @@
 <h1>Login</h1>
+<%= login_method %>
 
-
-<% form_tag sessions_path do -%>
-  <p>
-    <label for="login">Email</label><br/>
+<% form_tag sessions_path  do -%>
+  <div id="regular_login_fields">
+    <% # login_method %>
+    <p>
+  <label for="login">Email or <%= switch_login('switch to OpenID','to_openid')%></label><br/>
     <%= text_field_tag 'email', params[:email], :class => "text" %>
   </p>
 
@@ -11,7 +13,13 @@
     <label for="password">Password</label><br/>
     <%= password_field_tag 'password', '', :class => "text" %>
   </p>
-
+  </div>
+  <div id="openid_login_fields" style="display:none;">
+    <p>
+      <label for="openid">OpenID or <%= switch_login('switch to email login', 'to_email') -%></label><br/>
+      <%= text_field_tag 'openid_url', params[:openid_url], :class => "text" -%>
+    </p>
+  </div>
   <p>
     <label for="remember_me">Remember me:</label>
     <%= check_box_tag 'remember_me' %>

--- a/app/views/users/new.html.erb
+++ b/app/views/users/new.html.erb
@@ -1,8 +1,8 @@
-<h1>Create new user</h1>
+<h1>Create new user or <%= link_to "login directly with your OpenID", login_path(:method=>'openid') -%></h1>
 
 <p>
-  Creating a user account allows you to create your own project or participate 
-  in the development of any project. 
+  Creating a user account allows you to create your own project or participate
+  in the development of any project.
 </p>
 
 <%= error_messages_for :user %>

--- a/config/routes.rb
+++ b/config/routes.rb
@@ -28,6 +28,7 @@ ActionController::Routing::Routes.draw do |map|
     :forgot_password => :get,
     :reset_password => :post,
   }
+  map.open_id_complete '/sessions', :controller => "sessions", :action=> "create",:requirements => { :method => :get }
   map.resource  :sessions
   map.with_options(:controller => "projects", :action => "category") do |project_cat|
     project_cat.projects_category "projects/category/:id"

--- /dev/null
+++ b/db/migrate/024_add_open_id_authentication_tables.rb
@@ -0,0 +1,20 @@
+class AddOpenIdAuthenticationTables < ActiveRecord::Migration
+  def self.up
+    create_table :open_id_authentication_associations, :force => true do |t|
+      t.integer :issued, :lifetime
+      t.string :handle, :assoc_type
+      t.binary :server_url, :secret
+    end
+
+    create_table :open_id_authentication_nonces, :force => true do |t|
+      t.integer :timestamp, :null => false
+      t.string :server_url, :null => true
+      t.string :salt, :null => false
+    end
+  end
+
+  def self.down
+    drop_table :open_id_authentication_associations
+    drop_table :open_id_authentication_nonces
+  end
+end

--- /dev/null
+++ b/db/migrate/025_add_identity_url_to_users.rb
@@ -0,0 +1,10 @@
+class AddIdentityUrlToUsers < ActiveRecord::Migration
+  def self.up
+    add_column :users, :identity_url, :text
+  end
+
+  def self.down
+    remove_column :users, :identity_url
+  end
+end
+

Binary files /dev/null and b/public/images/login-bg.gif differ

--- a/public/stylesheets/base.css
+++ b/public/stylesheets/base.css
@@ -343,6 +343,15 @@ textarea:focus, select:focus {
   border: 1px solid #666;
 }
 
+/* embeds the openid image in the text field */
+input#openid_url {
+   background: url(/images/login-bg.gif) no-repeat;
+   background-color: #fff;
+   background-position: 0 50%;
+   color: #000;
+   padding-left: 18px;
+}
+
 .fieldWithErrors { margin: 0; display: block;}
 .fieldWithErrors input, .fieldWithErrors textarea,
 .fieldWithErrors select {

--- /dev/null
+++ b/vendor/plugins/open_id_authentication
@@ -0,0 +1 @@
+Subproject commit d9d6e6ac85e37eedd40b97fa1f7cf25645038a19