[OpenStack-Infra] Desired requirements for centralized contributor identity service (was RE: On being an OpenID consumer instead of an OpenID producer.)
Ryan Lane
rlane at wikimedia.org
Thu Sep 26 22:00:00 UTC 2013
I should give a good warning for any implementation: make the user's ID
their local identifier and have usernames delegate to their identifier.
Otherwise you run into a security issue with renaming users: fallenpegasus
requests a rename, then a new user takes fallenpegasus, thereby stealing
their identity on sites registered with
https://id.openstack.org/~fallenpegasus.
It's also not a bad idea to version the openid urls, like:
https://id.openstack.org/v1/<id>
where
https://id.openstack.org/~fallenpegasus -> https://id.openstack.org/v1/1
assuming ~fallenpegasus's ID is 1.
This makes it possible to change URL schemes in the future while still
keeping backwards compatibility for older names.
On Thu, Sep 26, 2013 at 2:40 PM, Atwood, Mark <mark.atwood at hp.com> wrote:
> Hmm, ok. I am painfully about convinced that a centralized auth solution
> is
> the right choice for us.
>
> While I'm wishing for a pony:
>
> First of all and most of all, I want the whole thing to be open source, and
> managed via the OpenStack infra review process, just like the rest of the
> stuff managed by Monty's team.
>
> I want it to have a web UI with a URL like
> https://id.openstack.org/~fallenpegasus so I can see someone's
> name,
> email addresses,
> gravitar photograph,
> when did they join the foundation,
> are they (board, TC, PTL, Core (of which teams)) and since when,
> project participation history,
> IRC handles,
> XMPP ids,
> PGP key fingerprints,
> social media URLs,
> Launchpad id,
> GitHub id,
> and Ohloh account.
>
> I want it to have, via some API, all the employer history tracking that is
> currently contained and duplicated in various data files in the gitdm
> project
> and stackalytics project.
>
> I want it to do LDAP, vCard, and PoCo, and make all that data I wished for
> the
> past few paragraphs available over those APIs.
>
> I want it to do OpenID and OpenID Connect (for the web apps), and a good
> backend to SASL (for the non-web apps).
>
> And I want it to support standard OATH TOTP 2-factor auth.
>
> AND
>
> And I want world peace.
>
> :)
>
> ..m
>
> Mark Atwood <mark.atwood at hp.com>
> Director of Open Source Engagement for HP Cloud Services
> M +1-206-473-7118
>
>
> > -----Original Message-----
> > From: Jeremy Stanley [mailto:fungi at yuggoth.org]
> > Sent: Wednesday, September 25, 2013 7:20 PM
> > To: openstack-infra at lists.openstack.org
> > Subject: Re: [OpenStack-Infra] On being an OpenID consumer instead of an
> > OpenID
> > producer.
> >
> > On 2013-09-24 16:39:44 -0700 (-0700), Ryan Lane wrote:
> > [...]
> > > If every application is provider agnostic each one of them will have
> > > their own OpenID consumer interface. This means it's necessary to make
> > > all of them look the same, which requires modifying a lot of
> > > applications. Adding different auth mechanisms (like persona) means
> > > adding it to every single application, too.
> > [...]
> >
> > This reminds me of yet another point in favor of centralization. We want
> to
> > be able to
> > correlate information between a user's account in various distributed
> > systems where
> > there is currently no cross-system index mapping them to one another. If
> all
> > of them use
> > a common OpenID provider then we can key on that, but if they're
> > provider-agnostic
> > then at least some subset of users will authenticate to systems with more
> > than one
> > (potentially to different systems with different providers).
> >
> > Also not mentioned yet in these threads, but one the reasons it was
> > suggested to run
> > our own provider is that we have some services which are not "Web apps"
> (so
> > not well-
> > suited to OpenID), and we'd like to be able to tie other auth protocols
> into
> > the same
> > backend eventually to support those systems as well.
> > --
> > Jeremy Stanley
> >
> > _______________________________________________
> > OpenStack-Infra mailing list
> > OpenStack-Infra at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
>
> _______________________________________________
> OpenStack-Infra mailing list
> OpenStack-Infra at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20130926/800d1902/attachment.html>
More information about the OpenStack-Infra
mailing list