[Python-Dev] Offtopic: OpenID Providers (original) (raw)

Toshio Kuratomi a.badger at gmail.com
Mon Sep 9 19:39:11 CEST 2013

On Thu, Sep 5, 2013 at 6:09 PM, Stephen J. Turnbull <stephen at xemacs.org> wrote:

Barry Warsaw writes:

> We're open source, and I think it benefits our mission to support open, > decentralized, and free systems like OpenID and Persona.

Thus speaks an employee of yet another Provider-That-Won't-Accept-My- Third-Party-Credentials. Sorry, Barry, but you see the problem: Unfortunately, we can't do it alone. What needs to happen is there needs to be a large network of sites that support login via O-D-F systems like OpenID and Persona. Too many of the sites I use (news sources, GMail, etc) don't support them and my browser manages my logins to most of them, so why bother learning OpenID, and then setting it up site by site? [snipped lots of observations that I generally agree with]

There's been a lot of negativity towards OpenID in this thread -- I'd like to say that in Fedora Infrastructure we've found OpenID to be very very good -- but not at addressing the problem that most people are after here. As you've observed being an OpenID provider is a relatively easy to swallow proposition; accepting OpenID from third parties is another thing entirely. As you've also observed, this has to do with trust. A site can trust their own account system and practices and issue OpenID based on those. It is much riskier for the site to trust someone else's account system and practices when deciding whether a user is actually the owner of the account that they claim.

So OpenID fails as a truly generic SSO method across sites on the internet... what have we found it good for then? SSO within our site. More and more apps support OpenID out of the box. Many web frameworks have modules for the code you write to authenticate against an OpenID server. A site configures these apps and modules to only trust the site's OpenID service and then deploys them with less custom code. Sites also get a choice about how much risk they consider compromised accounts to a particular application. If they run a web forum and a build system for instance, they might constrain the build system to only their OpenID service but allow the forum to allow OpenID from other providers. And finally, having an openid service lets their users sign into more trusting sites like python.org properties (unlike say, LDAP) :-)

-Toshio

More information about the Python-Dev mailing list