incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Jaquith (JIRA)" <>
Subject [jira] Commented: (JSPWIKI-94) OpenID support
Date Tue, 24 Feb 2009 17:22:01 GMT


Andrew Jaquith commented on JSPWIKI-94:

What I meant is that when you accept "any" OpenID assertion, you don't really know who is
authenticated unless you know something about the OP. The example you gave (rogue OP) is one
example of how OpenID could fail -- there are others, though.

My current thinking is that we should have a configurable option, probably as JAAS configuration
options, that defines what OPs we accept OpenID assertions from. We would use SREG to obtain
the information needed to create an account In JSPWiki.

By default, the list of acceptable OPs would be a short list: Gmail, Yahoo!, VeriSign and
probably about a half-dozen others. But if the admin wanted, they could configure the system
to accept any OP. This would be the "other" OP option you describe in step 3.

As far as registration confirmation goes -- that is a separate issue. You can turn on workflows
for confirming registrations today, for all registrations. I think this will work the same
way in 3.0 -- approvals are either on (for every OP) or off. 

> OpenID support
> --------------
>                 Key: JSPWIKI-94
>                 URL:
>             Project: JSPWiki
>          Issue Type: New Feature
>          Components: Authentication&Authorization
>            Reporter: Janne Jalkanen
>            Priority: Minor
>             Fix For: 3.1
> Now that OpenID2.0 is launched, we should look seriously into enabling that as a way
to manage your JSPWiki identity.
> I don't want to put any specific version on this item - it'll come when someone is motivated
enough to make it work ;-).  But it's a good idea to keep here so that we don't forget about

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message