Rick Denatale wrote: > On Sat, Jan 9, 2010 at 5:32 AM, Audrey A Lee > <[email protected]> wrote: >> - "Vanilla" password based authentication >> and forget if they were using a password or OpenID. >> >> So my question is, do you know of any projects or Rails starter kits >> which implement OpenID-only authentication? > > No I don't. And I believe that the openid advocates don't recommend > this.
I don't know about other OpenID advocates, but this is not exactly my recommendation. > The problem is that if the user's open id server is unavailable for > whatever reason, he/she can't log in. I think the more likely case is that your own web site will be unavailable far more often than any OpenID provider's. I just don't think this is a particularly valid argument. > Providing a password option for authentications is the openid > equivalent of a 'forgot my password' mechanism. I can't see how these two are related in any way. They are completely different forms of authentication. I personally think that developers provide the choice because most "regular users" don't really understand the advantage of OpenID. Trying to explain it to them might be more trouble that it's worth. Most people are just so accustomed to username and password that any deviation from that mechanism might be too confusing for them. For the OP: > So, I want to make it easy for them. They use OpenID or nothing. > Actually, I want to make it even simpler: Yahoo-OpenID or nothing. While I believe that providing an OpenID only solution is workable, I would be very much against forcing them to use a particular OpenID provider. I personally use VeriSign as my provider. Mostly because I trust their security, and I have setup multi-factor authentication using their provided iPhone app. Forcing users into a particular OpenID provider defeats one of the major advantages of the OpenID system. If you're going to push authentication to a third-party, that's great, but let the users choose whomever they want as that third-party. Another advantage of OpenID is that a web site can avoid having to store any sensitive information at all. I am currently developing a web site for a local developer's group. I have also chosen to use OpenID only for authentication. My reason for doing so is to avoid the need for adding (and paying for) a SSL certificate. I don't like the idea of accepting user's password in the clear. The only ways to avoid that are either buy a SSL certificate or use OpenID only. I've chosen the latter because of the many advantages it provides. I no longer need an SSL certificate, I'm not storing any sensitive information at all, and my users will be able to share their OpenID with any other sites that support it. -- Posted via http://www.ruby-forum.com/.
-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
