[OpenStack-Infra] On being an OpenID consumer instead of an OpenID producer.

Ryan Lane rlane at wikimedia.org
Tue Sep 24 22:52:09 UTC 2013


On Tue, Sep 24, 2013 at 3:37 PM, Atwood, Mark <mark.atwood at hp.com> wrote:

> ++ to making openstack.org/profile an OpenID consumer instead of an
> OpenID producer.
>
> I don’t think there are even any good scalable security-audited
> battle-tested general purpose OpenID producers.  We would have to write one
> from scratch, or take one of the half-done ones and hack on it a great deal
> to make it fit, and then survive being p0wned over and over as we battle
> harden it.
>
> OTOH, there are a lot of good open source implementations of OpenID
> consumer code out there.
>
>
It's actually opposite of how you describe. Writing a good OpenID consumer
is hard due to user interface design issues, especially since most people
(even most technical people) have no idea how to properly use OpenID.
Education efforts have been ongoing for 8 years, so that won't really help
either.

Making a provider is relatively simple and is a great way of providing SSO
for a set of applications you maintain. There's a number of good provider
implementations around. A good way of handling OpenID for our applications
would be to make all of the applications use our OpenID provider as a
central forced provider, then to work on making the provider allow other
forms of authentication, like persona, or possibly OpenID as a consumer if
a usable interface can be made.

OpenID as a consumer of random providers on the internet really kind of
sucks. Persona is a much better approach at this (especially from a privacy
point of view) and with the bridges they're adding for most large providers
it is starting to get to a point of usability.

- Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20130924/0ce68c09/attachment.html>


More information about the OpenStack-Infra mailing list