On Tue, Sep 24, 2013 at 3:37 PM, Atwood, Mark <[email protected]> wrote:
> ++ to making openstack.org/profile an OpenID consumer instead of an > OpenID producer. > > I don’t think there are even any good scalable security-audited > battle-tested general purpose OpenID producers. We would have to write one > from scratch, or take one of the half-done ones and hack on it a great deal > to make it fit, and then survive being p0wned over and over as we battle > harden it. > > OTOH, there are a lot of good open source implementations of OpenID > consumer code out there. > > It's actually opposite of how you describe. Writing a good OpenID consumer is hard due to user interface design issues, especially since most people (even most technical people) have no idea how to properly use OpenID. Education efforts have been ongoing for 8 years, so that won't really help either. Making a provider is relatively simple and is a great way of providing SSO for a set of applications you maintain. There's a number of good provider implementations around. A good way of handling OpenID for our applications would be to make all of the applications use our OpenID provider as a central forced provider, then to work on making the provider allow other forms of authentication, like persona, or possibly OpenID as a consumer if a usable interface can be made. OpenID as a consumer of random providers on the internet really kind of sucks. Persona is a much better approach at this (especially from a privacy point of view) and with the bridges they're adding for most large providers it is starting to get to a point of usability. - Ryan
_______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
