[Catalog-sig] OpenID login to PyPI

"Martin v. Löwis" martin at v.loewis.de
Wed Nov 18 06:46:43 CET 2009

>> The problem I have with this (and also partially with python-openid) is
>> that I don't know how to integrate it with the existing application. How
>> is the module supposed to know what PyPI accounts are, and how they
>> relate to existing IDs, and what postgres database and table this
>> information is to be stored in?
> Since OpenID is an authentication solution, you should probably just accept 
> the claimed identity as the username.

It can't work that way, and shouldn't. First, OpenID defines the Simple
Registration extensions (SREG) to explicitly cover a nickname, and also
provide an email address. Whether or not I trust these data - at a
minimum, I should use them - that's what OpenID users expect to happen.
I see that mod_auth_openid has some support for AX (a similar protocol)
since 0.3, and that may also support SREG, but again, I'm unsure how to
use it.

In addition, existing users will expect to be able to use OpenID, and
will expect to be able to map OpenIDs to existing accounts.

> In fact, mod_auth_openid provides this  as the REMOTE_USER CGI 
> environment variable.

That can work for logins, but not for registrations.


More information about the Catalog-SIG mailing list