incubator-esme-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Hirsch <hirsch.d...@gmail.com>
Subject Re: Broken OpenID
Date Mon, 14 Jun 2010 12:20:13 GMT
Yep - unless there are bugs associated with it.

I'll probably create a video on how to use it and post it on our new YouTube
channel when I've got a few minutes to spare.

D.

On Mon, Jun 14, 2010 at 2:12 PM, Anne Kathrine Petter√łe
<yojibee@gmail.com>wrote:

> So consensus is to keep OpenID, but not invest any more time in it?
>
> On 14. juni 2010, at 12.25, Richard Hirsch wrote:
>
> > I agree with Vassil. If I remember correctly, users created via OpenID
> had
> > their openid urls as their user ids which messed up our UI.
> >
> > The one idea I had was to add the OpenID to the sign-up page and created
> a
> > JIRA item for this. I looked at the code in the ProfileMgr that dealt
> with
> > this in the profile and decided that adding the openID to the sign-on
> page
> > was non-trivial and thus placed the jira item in the backlog.
> >
> > On Mon, Jun 14, 2010 at 12:16 PM, Vassil Dichev <vdichev@apache.org>
> wrote:
> >
> >>> And my question still remains the same ;-)
> >>> Should we use time on this right now, or would it be easier to remove
> the
> >> field in the UI for now?
> >>
> >> Sorry for not following up on this: I had the impression that OpenID
> >> worked as intended and the user is not supposed to create a user
> >> through OpenID. This would mean that the username would be
> >> autogenerated and currently you cannot edit the username. This is not
> >> a hard requirement, but do we want to make the username editable? It
> >> might make some implications for using existing pools, actions, etc.
> >> (not that they're bound to the username, but an attacker might use it
> >> for phishing/social engineering).
> >>
> >> Another drawback of OpenID user auto-creation is that a user will not
> >> have a password initially, and might not ever choose to set it. I'm
> >> not sure this is desirable, considering that OpenID might not always
> >> be available and there's no other way to log in.
> >>
> >
> > Good point  - the necessity of having two logins is feature :->
> >
> >
> >> Finally, from usability point of view if you think you have associated
> >> an OpenID URL with an existing account, but you're not, then logging
> >> in with OpenID will create a new account you do not want. This is
> >> especially tricky considering that we treat these as different URLs:
> >>
> >> http://host/path/
> >> http://host/path/index.html
> >> http://host.domain.com/path/
> >>
> >> So is OpenID actually broken? If it's not, there's no point in fixing
> it.
> >>
> >
> > I also agree with Anne that in the long-term, we will probably have
> > container-based authentication, so investing more time in OpenID probably
> > isn't ideal.
> >
> >>
> >> Vassil
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message