[PLIP-Advisories] [Plone development workspace] #10687: Plone OpenID Federated Login
Change notifications for Plone PLIPs on Trac.
plone-plip-advisories at lists.plone.org
Tue Jan 24 01:54:00 UTC 2012
#10687: Plone OpenID Federated Login
----------------------------+----------------------
Reporter: cwarner | Owner:
Type: PLIP | Status: closed
Priority: minor | Milestone: 4.3
Component: OpenID support | Resolution: wontfix
Keywords: openid login |
----------------------------+----------------------
Comment (by cwarner):
I'd like to leave this ticket closed but leave some commentary as I have
some time to backtrack here and talk about this sensibly. Working on this
implementation has led to several findings that I will leave here in case
anyone thinks about doing this again. To be short, you should never do
this. The implementation works but it's not recommended. There are several
problems with OpenID all around I have found in regards to usability and
management that would cause more problems than it is worth. Making it
easier to use the OpenID is not the problem, but its with OpenID itself.
Infact sadly, my opinions of OpenID have changed from something that is
useful to something that in practice is tragically flawed. In this case
specifically both for Plone users and administrators.
1. The use case scenario as outlined in the video works up and until you
need to do anything with user management. For instance, some of the ID's
for openid cause problems with userid management and URI conversion.
2. There are issues with management of multiple ids or renaming ids for
users and updating their associated content. For instance, a user will use
one openid and immediately decide that they will use another openid to
create content. Either because they don't like their URI display or they
just feel like it (this can be managed via user configlet and oauth 2 but
realistically people aren't managing that data properly on the endpoint
side or they end up wanting to change it). Managing and changing the
owners of this content becomes an issue for the administrator.
3. These major OpenID endpoints just don't seem to be stable for whatever
reason and also operate differently. For instance the AOL endpoint
operates differently than the Google endpoint. This isn't such a big deal
except that in actual practice i've had users create an OpenID with one
service and because an endpoint was down immediately create a different
OpenID. Again, management issues here.
4. It seems a large portion of patron can't remember what their OpenID
actually is.
There are many more issues involved with it that I can't remember off the
top of my head which is why this should never be put into Plone core and
should be rejected in the future.
These are more user-end problems but if anyone does want to pick this up,
feel free to contact me or post to this ticket.
--
Ticket URL: <http://dev.plone.org/ticket/10687#comment:27>
Plone development workspace <http://dev.plone.org/>
Plone Enterprise Content Management System
More information about the PLIP-Advisories
mailing list