[PLIP-Advisories] [Plone development workspace] #10687: Plone OpenID Federated Login

Change notifications for Plone PLIPs on Trac. plone-plip-advisories at lists.plone.org
Tue Jan 24 01:54:00 UTC 2012 

#10687: Plone OpenID Federated Login
----------------------------+----------------------
 Reporter:  cwarner         |       Owner:
     Type:  PLIP            |      Status:  closed
 Priority:  minor           |   Milestone:  4.3
Component:  OpenID support  |  Resolution:  wontfix
 Keywords:  openid login    |
----------------------------+----------------------

Comment (by cwarner):

 I'd like to leave this ticket closed but leave some commentary as I have
 some time to backtrack here and talk about this sensibly. Working on this
 implementation has led to several findings that I will leave here in case
 anyone thinks about doing this again. To be short, you should never do
 this. The implementation works but it's not recommended. There are several
 problems with OpenID all around I have found in regards to usability and
 management that would cause more problems than it is worth. Making it
 easier to use the OpenID is not the problem, but its with OpenID itself.
 Infact sadly, my opinions of OpenID have changed from something that is
 useful to something that in practice is tragically flawed. In this case
 specifically both for Plone users and administrators.

 1. The use case scenario as outlined in the video works up and until you
 need to do anything with user management. For instance, some of the ID's
 for openid cause problems with userid management and URI conversion.
 2. There are issues with management of multiple ids or renaming ids for
 users and updating their associated content. For instance, a user will use
 one openid and immediately decide that they will use another openid to
 create content. Either because they don't like their URI display or they
 just feel like it (this can be managed via user configlet and oauth 2 but
 realistically people aren't managing that data properly on the endpoint
 side or they end up wanting to change it). Managing and changing the
 owners of this content becomes an issue for the administrator.
 3. These major OpenID endpoints just don't seem to be stable for whatever
 reason and also operate differently. For instance the AOL endpoint
 operates differently than the Google endpoint. This isn't such a big deal
 except that in actual practice i've had users create an OpenID with one
 service and because an endpoint was down immediately create a different
 OpenID. Again, management issues here.
 4. It seems a large portion of patron can't remember what their OpenID
 actually is.

 There are many more issues involved with it that I can't remember off the
 top of my head which is why this should never be put into Plone core and
 should be rejected in the future.

 These are more user-end problems but if anyone does want to pick this up,
 feel free to contact me or post to this ticket.

-- 
Ticket URL: <http://dev.plone.org/ticket/10687#comment:27>
Plone development workspace <http://dev.plone.org/>
Plone Enterprise Content Management System

More information about the PLIP-Advisories mailing list