Deprecating/Removing OpenID/Google login support for PyPI
As folks are likely aware, legacy PyPI currently supports logging in using OpenID and Google Auth while Warehouse does not. After much deliberation, I’ve decided that Warehouse will not be implementing OpenID or Google logins, and once we shutdown legacy PyPI, OpenID/ and Google logins to PyPI will no longer be possible. This decision was made for a few reasons: * Very few people actually are using OpenID or Google logins as it is. In one month we had ~15k logins using the web form, ~5k using basic auth, and 62 using Google and 7 using OpenID. This is a several orders of magnitude difference. * Regardless of how you log into PyPI (Password or Google/OpenID) you’re required to have a password added to your account to actually upload anything to PyPI. This negates much of the benefit of a federated authentication for PyPI as it stands. * Keeping these requires ongoing maintenance to deal with any changes in the specification or to update as Google deprecates/changes things. * Adding support for them to Warehouse requires additional work that could better be used elsewhere, where it would have a higher impact. - Donald
* Very few people actually are using OpenID or Google logins as it is. In one month we had ~15k logins using the web form, ~5k using basic auth, and 62 using Google and 7 using OpenID. This is a several orders of magnitude difference.
Not opposing to open-id/Google-ID removal, but I would love to
login-with-google, though because I already have an account (and can't
associate my google account with the PyPI one) I'm not using login with
google. Also it did not work for as long as I can remember. So the low
number of people actually _using_ it might not reflect people who would
like to use it. Maybe look at the number of people trying and failing ?
--
M
On 12 January 2018 at 21:51, Donald Stufft
As folks are likely aware, legacy PyPI currently supports logging in using OpenID and Google Auth while Warehouse does not. After much deliberation, I’ve decided that Warehouse will not be implementing OpenID or Google logins, and once we shutdown legacy PyPI, OpenID/ and Google logins to PyPI will no longer be possible.
This decision was made for a few reasons:
* Very few people actually are using OpenID or Google logins as it is. In one month we had ~15k logins using the web form, ~5k using basic auth, and 62 using Google and 7 using OpenID. This is a several orders of magnitude difference. * Regardless of how you log into PyPI (Password or Google/OpenID) you’re required to have a password added to your account to actually upload anything to PyPI. This negates much of the benefit of a federated authentication for PyPI as it stands. * Keeping these requires ongoing maintenance to deal with any changes in the specification or to update as Google deprecates/changes things. * Adding support for them to Warehouse requires additional work that could better be used elsewhere, where it would have a higher impact.
- Donald _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
On Sat, Jan 13, 2018, at 6:39 PM, Matthias Bussonnier wrote:
Not opposing to open-id/Google-ID removal, but I would love to login-with- google, though because I already have an account (and can't associate my google account with the PyPI one) I'm not using login with google. Also it did not work for as long as I can remember. So the low number of people actually _using_ it might not reflect people who would like to use it. Maybe look at the number of people trying and failing ? On the other hand, I created my account using OpenID years ago, and now I always log in with a password. Based on the numbers Donald gave, I don't think it's worth spending more time investigating the demand. If there really is demand, people will make it known on issues etc., and it could be considered for Warehouse further down the line. For now, passwords are working, and there are more important things to build and maintain. Thomas
On 14 January 2018 at 04:59, Thomas Kluyver
Based on the numbers Donald gave, I don't think it's worth spending more time investigating the demand. If there really is demand, people will make it known on issues etc., and it could be considered for Warehouse further down the line. For now, passwords are working, and there are more important things to build and maintain.
Something else I'll note here is that there are a few things we want to explore post-Warehouse migration that require PyPI to serve as its own identity provider: - two-factor authentication support - orgs, teams, and role-based access control - revocable CLI (and other app) token support Adding back social auth some time post-migration will likely still be an option (similar to the way Atlassian allow social auth logins to establish and authenticate for BitBucket accounts), it would just be lower priority than the above (and leaving it out for the time being should simplify the development of the above capabilities). Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
On Sat, Jan 13, 2018 at 10:39 AM, Matthias Bussonnier < bussonniermatthias@gmail.com> wrote:
* Very few people actually are using OpenID or Google logins as it is. In one month we had ~15k logins using the web form, ~5k using basic auth, and 62 using Google and 7 using OpenID. This is a several orders of magnitude difference.
Not opposing to open-id/Google-ID removal, but I would love to login-with-google, though because I already have an account (and can't associate my google account with the PyPI one) I'm not using login with google. Also it did not work for as long as I can remember. So the low number of people actually _using_ it might not reflect people who would like to use it. Maybe look at the number of people trying and failing ?
I also am a user that has always wanted PyPI's OpenID and Google logins to work and has for years never seen them actually work. :-( -Nathaniel
python-social-auth supports OAuth 1, OAuth 2, OpenID, SAML with many auth
providers and python trsmeworks; including Pyramid, BitBucket, Google,
GitHub, GitLab,
https://python-social-auth.readthedocs.io/en/latest/
http://python-social-auth.readthedocs.io/en/latest/backends/
https://github.com/python-social-auth/social-app-pyramid/
There's likely someone with more experience with a different authentication
abstraction API?
https://github.com/uralbash/awesome-pyramid/#authentication lists quite a
few authentication and authorization systems which may also be useful for
implementing TUF?
On Friday, January 12, 2018, Donald Stufft
As folks are likely aware, legacy PyPI currently supports logging in using OpenID and Google Auth while Warehouse does not. After much deliberation, I’ve decided that Warehouse will not be implementing OpenID or Google logins, and once we shutdown legacy PyPI, OpenID/ and Google logins to PyPI will no longer be possible.
This decision was made for a few reasons:
* Very few people actually are using OpenID or Google logins as it is. In one month we had ~15k logins using the web form, ~5k using basic auth, and 62 using Google and 7 using OpenID. This is a several orders of magnitude difference. * Regardless of how you log into PyPI (Password or Google/OpenID) you’re required to have a password added to your account to actually upload anything to PyPI. This negates much of the benefit of a federated authentication for PyPI as it stands. * Keeping these requires ongoing maintenance to deal with any changes in the specification or to update as Google deprecates/changes things. * Adding support for them to Warehouse requires additional work that could better be used elsewhere, where it would have a higher impact.
- Donald _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
On Fri, Jan 12, 2018 at 9:51 PM, Donald Stufft
As folks are likely aware, legacy PyPI currently supports logging in using OpenID and Google Auth while Warehouse does not. After much deliberation, I’ve decided that Warehouse will not be implementing OpenID or Google logins, and once we shutdown legacy PyPI, OpenID/ and Google logins to PyPI will no longer be possible.
This decision was made for a few reasons:
* Very few people actually are using OpenID or Google logins as it is. In one month we had ~15k logins using the web form, ~5k using basic auth, and 62 using Google and 7 using OpenID. This is a several orders of magnitude difference.
For reference: OpenID has never worked for me and I think content blockers rip out the Google option for me. * Regardless of how you log into PyPI (Password or Google/OpenID) you’re
required to have a password added to your account to actually upload anything to PyPI. This negates much of the benefit of a federated authentication for PyPI as it stands.
OAuth app tokens are a possible way to achieve this as well and might suite various release pipelines better. * Keeping these requires ongoing maintenance to deal with any changes in
the specification or to update as Google deprecates/changes things. * Adding support for them to Warehouse requires additional work that could better be used elsewhere, where it would have a higher impact.
All that said, +1 for not bothering with it. If it ever is tackled, I'm sure this day and age will bring more, more visible and more direct feedback on it working or not working for users than the previous iteration. -- Joni Orponen
Donald Stufft wrote:
* Very few people actually are using OpenID or Google logins as it is. In one month we had ~15k logins using the web form, ~5k using basic auth, and 62 using Google and 7 using OpenID. This is a several orders of magnitude difference. * Regardless of how you log into PyPI (Password or Google/OpenID) you’re required to have a password added to your account to actually upload anything to PyPI. This negates much of the benefit of a federated authentication for PyPI as it stands. * Keeping these requires ongoing maintenance to deal with any changes in the specification or to update as Google deprecates/changes things. * Adding support for them to Warehouse requires additional work that could better be used elsewhere, where it would have a higher impact.
I'm one of those 7, but I really can't argue for you to keep supporting it just for *me* :). Have you considered allowing developers to use their GitHub, GitLab, Bitbucket logins? Those three probably cover a large majority of package authors on PyPI. I don't know how hard that would be to support though. -Barry
participants (8)
-
Barry Warsaw
-
Donald Stufft
-
Joni Orponen
-
Matthias Bussonnier
-
Nathaniel Manista
-
Nick Coghlan
-
Thomas Kluyver
-
Wes Turner