[Catalog-sig] PyPI as an OpenID provider

"Martin v. Löwis" martin at v.loewis.de
Mon Nov 21 22:52:42 CET 2011


Thanks to Mark Rees, PyPI is now an OpenID provider. I fixed
a few remaining issues, so I'm now able to announce this as
an experimental service. "Experimental" here means that we
wait a few months to see whether serious problems show up
that may cause us to revert the service or change the URL
schemes. We certainly hope that this won't be necessary.

To use this OpenID provider, enter "pypi.python.org/id" into
any form that expects an OpenID. Should the service not support
OpenID 2, you will have to enter "pypi.python.org/id/<username>"
instead (the former is the provider ID, the latter are the user
IDs).

We follow the emerging approach that you have to sign into
PyPI *before* signing into the actual services. This is intended
to prevent phishing, as otherwise the relying party may fake
PyPI's login page and collect your PyPI password (which they can
still do if you fall for it). It also avoids "nested" logins
(i.e. where you need to log into PyPI with an OpenID while trying
to login elsewhere with the PyPI id).

If you find any problems with this service, please report them
here or to the PyPI bug tracker. A few success reports are also
appreciated.

Regards,
Martin


More information about the Catalog-SIG mailing list