[Python-Dev] Offtopic: OpenID Providers

Toshio Kuratomi a.badger at gmail.com
Mon Sep 9 19:39:11 CEST 2013 

On Thu, Sep 5, 2013 at 6:09 PM, Stephen J. Turnbull <stephen at xemacs.org> wrote:
> Barry Warsaw writes:

>  > We're open source, and I think it benefits our mission to support open,
>  > decentralized, and free systems like OpenID and Persona.
>
> Thus speaks an employee of yet another Provider-That-Won't-Accept-My-
> Third-Party-Credentials.  Sorry, Barry, but you see the problem:
> Unfortunately, we can't do it alone.  What needs to happen is there
> needs to be a large network of sites that support login via O-D-F
> systems like OpenID and Persona.  Too many of the sites I use (news
> sources, GMail, etc) don't support them and my browser manages my
> logins to most of them, so why bother learning OpenID, and then
> setting it up site by site?
>
[snipped lots of observations that I generally agree with]

There's been a lot of negativity towards OpenID in this thread -- I'd
like to say that in Fedora Infrastructure we've found OpenID to be
very very good -- but not at addressing the problem that most people
are after here.  As you've observed being an OpenID provider is a
relatively easy to swallow proposition; accepting OpenID from third
parties is another thing entirely.  As you've also observed, this has
to do with trust.  A site can trust their own account system and
practices and issue OpenID based on those.  It is much riskier for the
site to trust someone else's account system and practices when
deciding whether a user is actually the owner of the account that they
claim.

So OpenID fails as a truly generic SSO method across sites on the
internet... what have we found it good for then?  SSO within our site.
 More and more apps support OpenID out of the box.  Many web
frameworks have modules for the code you write to authenticate against
an OpenID server.  A site configures these apps and modules to only
trust the site's OpenID service and then deploys them with less custom
code.  Sites also get a choice about how much risk they consider
compromised accounts to a particular application.  If they run a web
forum and a build system for instance, they might constrain the build
system to only their OpenID service but allow the forum to allow
OpenID from other providers. And finally, having an openid service
lets their users sign into more trusting sites like python.org
properties (unlike say, LDAP) :-)

-Toshio

More information about the Python-Dev mailing list