[OpenStack-Infra] On being an OpenID consumer instead of an OpenID producer.

James E. Blair jeblair at openstack.org
Wed Sep 25 15:55:00 UTC 2013


Ryan Lane <rlane at wikimedia.org> writes:

> Making a provider is relatively simple and is a great way of providing SSO
> for a set of applications you maintain. There's a number of good provider
> implementations around. A good way of handling OpenID for our applications
> would be to make all of the applications use our OpenID provider as a
> central forced provider, then to work on making the provider allow other
> forms of authentication, like persona, or possibly OpenID as a consumer if
> a usable interface can be made.

I like this idea.  We have a number of applications which all support
OpenID, and we are using that now, successfully, in an SSO style (where
we force authn via the Launchpad OpenID provider).  So this changes very
little about how most of our sites perform authentication.

By using OpenID as a federation protocol among OpenStack related sites,
and running an OpenID provider to support that, we can incrementally
change our single-sign-on system.  The OpenID provider can evolve to
support authentication via Persona and be an OpenID consumer itself (in
addition to local password storage).

We can also, in the future, consider supporting other methods of
federation (LDAP, oauth, etc) out from the provider.

Basically, it's flexible, works with all our current systems, and lets
us change things incrementally.

-Jim



More information about the OpenStack-Infra mailing list