[Catalog-sig] OpenID login to PyPI

"Martin v. Löwis" martin at v.loewis.de
Mon Nov 16 23:07:48 CET 2009

>> Unfortunately, at the same time, I'm skeptical that OpenID can really
>> deliver here. For example, I see little chance that distutils could
>> provide reasonable access to PyPI using OpenID, as OpenID is fairly
>> bound to be run in a web browser only. So ISTM that package owners
>> will have to set (and remember) a password, anyway, unless they always
>> add new releases through the web interface.
> If username/password authentication will always need to be allowed on
> PyPI, what is the rational for placing the current limitations on the
> OpenID support?  Or are you still undecided about whether
> username/password authentication will indeed always be supported?

I certainly don't know what always will be.

As I'm not sure which specific restriction you refer to, in order:

- [must be in wide use, using procedures that the community trusts]
  This is necessary to be able to trust the registry information,
  see below.
- [must support OpenID 2.0]
  This is because that's all what the implementation supports
- [must support provider-driven identifier selection]
  This is because I want to avoid ugly login boxes in the UI,
  and avoid having to type users in their OpenID.
- [must provide a validated email address, either through AX or SREG]
  This is because I want to be able to trust the user interface,
  and avoid the email verification roundtrip (sparing both myself
  the implementation of it, and the user access to his email address
  at the time of registration)
- [must support direct communication over https]
  This is because I didn't implement DH associations.


More information about the Catalog-SIG mailing list