I should give a good warning for any implementation: make the user's ID their local identifier and have usernames delegate to their identifier. Otherwise you run into a security issue with renaming users: fallenpegasus requests a rename, then a new user takes fallenpegasus, thereby stealing their identity on sites registered with https://id.openstack.org/~fallenpegasus.
It's also not a bad idea to version the openid urls, like: https://id.openstack.org/v1/<id> where https://id.openstack.org/~fallenpegasus -> https://id.openstack.org/v1/1 assuming ~fallenpegasus's ID is 1. This makes it possible to change URL schemes in the future while still keeping backwards compatibility for older names. On Thu, Sep 26, 2013 at 2:40 PM, Atwood, Mark <[email protected]> wrote: > Hmm, ok. I am painfully about convinced that a centralized auth solution > is > the right choice for us. > > While I'm wishing for a pony: > > First of all and most of all, I want the whole thing to be open source, and > managed via the OpenStack infra review process, just like the rest of the > stuff managed by Monty's team. > > I want it to have a web UI with a URL like > https://id.openstack.org/~fallenpegasus so I can see someone's > name, > email addresses, > gravitar photograph, > when did they join the foundation, > are they (board, TC, PTL, Core (of which teams)) and since when, > project participation history, > IRC handles, > XMPP ids, > PGP key fingerprints, > social media URLs, > Launchpad id, > GitHub id, > and Ohloh account. > > I want it to have, via some API, all the employer history tracking that is > currently contained and duplicated in various data files in the gitdm > project > and stackalytics project. > > I want it to do LDAP, vCard, and PoCo, and make all that data I wished for > the > past few paragraphs available over those APIs. > > I want it to do OpenID and OpenID Connect (for the web apps), and a good > backend to SASL (for the non-web apps). > > And I want it to support standard OATH TOTP 2-factor auth. > > AND > > And I want world peace. > > :) > > ..m > > Mark Atwood <[email protected]> > Director of Open Source Engagement for HP Cloud Services > M +1-206-473-7118 > > > > -----Original Message----- > > From: Jeremy Stanley [mailto:[email protected]] > > Sent: Wednesday, September 25, 2013 7:20 PM > > To: [email protected] > > Subject: Re: [OpenStack-Infra] On being an OpenID consumer instead of an > > OpenID > > producer. > > > > On 2013-09-24 16:39:44 -0700 (-0700), Ryan Lane wrote: > > [...] > > > If every application is provider agnostic each one of them will have > > > their own OpenID consumer interface. This means it's necessary to make > > > all of them look the same, which requires modifying a lot of > > > applications. Adding different auth mechanisms (like persona) means > > > adding it to every single application, too. > > [...] > > > > This reminds me of yet another point in favor of centralization. We want > to > > be able to > > correlate information between a user's account in various distributed > > systems where > > there is currently no cross-system index mapping them to one another. If > all > > of them use > > a common OpenID provider then we can key on that, but if they're > > provider-agnostic > > then at least some subset of users will authenticate to systems with more > > than one > > (potentially to different systems with different providers). > > > > Also not mentioned yet in these threads, but one the reasons it was > > suggested to run > > our own provider is that we have some services which are not "Web apps" > (so > > not well- > > suited to OpenID), and we'd like to be able to tie other auth protocols > into > > the same > > backend eventually to support those systems as well. > > -- > > Jeremy Stanley > > > > _______________________________________________ > > OpenStack-Infra mailing list > > [email protected] > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra > > _______________________________________________ > OpenStack-Infra mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra > >
_______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
