[OpenStack-Infra] On being an OpenID consumer instead of an OpenID producer.
Jeremy Stanley
fungi at yuggoth.org
Thu Sep 26 02:20:14 UTC 2013
On 2013-09-24 16:39:44 -0700 (-0700), Ryan Lane wrote:
[...]
> If every application is provider agnostic each one of them will
> have their own OpenID consumer interface. This means it's
> necessary to make all of them look the same, which requires
> modifying a lot of applications. Adding different auth mechanisms
> (like persona) means adding it to every single application, too.
[...]
This reminds me of yet another point in favor of centralization. We
want to be able to correlate information between a user's account in
various distributed systems where there is currently no cross-system
index mapping them to one another. If all of them use a common
OpenID provider then we can key on that, but if they're
provider-agnostic then at least some subset of users will
authenticate to systems with more than one (potentially to different
systems with different providers).
Also not mentioned yet in these threads, but one the reasons it was
suggested to run our own provider is that we have some services
which are not "Web apps" (so not well-suited to OpenID), and we'd
like to be able to tie other auth protocols into the same backend
eventually to support those systems as well.
--
Jeremy Stanley
More information about the OpenStack-Infra
mailing list