[Distutils] Deprecating/Removing OpenID/Google login support for PyPI
Wes Turner
wes.turner at gmail.com
Sat Jan 13 13:55:30 EST 2018
python-social-auth supports OAuth 1, OAuth 2, OpenID, SAML with many auth
providers and python trsmeworks; including Pyramid, BitBucket, Google,
GitHub, GitLab,
https://python-social-auth.readthedocs.io/en/latest/
http://python-social-auth.readthedocs.io/en/latest/backends/
https://github.com/python-social-auth/social-app-pyramid/
There's likely someone with more experience with a different authentication
abstraction API?
https://github.com/uralbash/awesome-pyramid/#authentication lists quite a
few authentication and authorization systems which may also be useful for
implementing TUF?
On Friday, January 12, 2018, Donald Stufft <donald at stufft.io> wrote:
> As folks are likely aware, legacy PyPI currently supports logging in using
> OpenID and Google Auth while Warehouse does not. After much deliberation,
> I’ve decided that Warehouse will not be implementing OpenID or Google
> logins, and once we shutdown legacy PyPI, OpenID/ and Google logins to PyPI
> will no longer be possible.
>
> This decision was made for a few reasons:
>
> * Very few people actually are using OpenID or Google logins as it is. In
> one month we had ~15k logins using the web form, ~5k using basic auth, and
> 62 using Google and 7 using OpenID. This is a several orders of magnitude
> difference.
> * Regardless of how you log into PyPI (Password or Google/OpenID) you’re
> required to have a password added to your account to actually upload
> anything to PyPI. This negates much of the benefit of a federated
> authentication for PyPI as it stands.
> * Keeping these requires ongoing maintenance to deal with any changes in
> the specification or to update as Google deprecates/changes things.
> * Adding support for them to Warehouse requires additional work that could
> better be used elsewhere, where it would have a higher impact.
>
> - Donald
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20180113/0780065a/attachment.html>
More information about the Distutils-SIG
mailing list