OpenID Authentication as an Auth Option
Closed, WontfixPublic

Description

@phuzion requested OpenID auth, and I see no reason not to support it.

@epriestley said it looks like we could start with this http://gitorious.org/lightopenid/lightopenid/blobs/master/openid.php

No ETA on this, but I think it'd be cool.

Details

Differential Revisions
Restricted Differential Revision

Related Objects

StatusAssignedTask
Wontfixcodeblock
codeblock triaged this task as Low priority.Sep 28 2011, 9:24 PM
codeblock claimed this task.
codeblock added a project: Phabricator.
codeblock added subscribers: codeblock, phuzion, epriestley.
hvaara added a subscriber: hvaara.Apr 30 2012, 8:48 AM
codeblock edited this Maniphest Task.Aug 1 2012, 8:45 PM
codeblock edited this Maniphest Task.Jan 4 2013, 1:09 PM
codeblock lowered the priority of this task from Low to Wishlist.Jan 4 2013, 1:10 PM
codeblock removed codeblock as the assignee of this task.Jan 20 2013, 12:24 AM

Testing something

Done testing something

epriestley closed this task as Wontfix.Jun 20 2013, 7:50 PM

This is now practical, and I built half a version based on D3122, but I'm somewhat disinclined to pursue it further in the upstream. In particular:

  • OpenID is fairly complicated from a server-side point of view. We realistically need a library for it, and although LightOpenID is only about 800 lines long, it has many weird special cases. If there's adoption, I'm worried there will be a significant support cost associated with OpenID, akin to the relatively high support cost we currently bear for LDAP. I don't really want to learn the ins and outs of OpenID in order to support it.
  • Similarly, a lot of what can go wrong with OpenID is very opaque and not necessarily reproducible. I'm worried it will be difficult to debug and support, adding to the cost of all the special casing. If a user tries to log into another provider (other than LDAP) and hits an error I can usually create a similar situation fairly easily, but this might be hard with OpenID.
  • There hasn't been much demand for OpenID, and the future of OpenID is unclear. Of the providers here, we support Google via OAuth already and could add Yahoo oauth if anyone ever asked for it; the others are mostly either Yahoo properties or essentially unknown/irrelevant.
  • This graph doesn't look too hot: {F46992}
  • Is anyone still backing OpenID? Mozilla seems to be throwing its weight behind Persona, and I feel like everyone else is on OAuth? I haven't seen any new providers announce OpenID recently, and all the tools in this space seem to provide OAuth instead (GitHub, Bitbucket).

I'm not necessarily totally opposed to doing this at some point, but interest seems very low and cost relatively high. This can be built as an extension today, so maybe that's the best route forward? Here's my half-implementation:

{P865}

{P866}

If you dump all that into a library and have Phabricator load it, it will get you sort of half-ish way there.

d2722 is great.

D2722 is an object.

I referenced this recently in conjunction with a request for SAML auth, since many of the same arguments against OpenID apply to SAML. While it's on my mind, two other notes:

  1. We possibly dodged a security bullet by not implementing this, see https://www.facebook.com/BugBounty/posts/778897822124446 (although LightOpenID parses XML with regular expressions and wouldn't have been vulnerable with that specific implementation).
  2. Basecamp implemented (in Jun, 2007) and then removed (in May, 2011) OpenID support from their product: "The only feature I can think of that we ever removed (I might be wrong) is OpenID, because almost no-one used it and it was really confusing." (see https://news.ycombinator.com/item?id=7183031).
epriestley changed the visibility from "All Users" to "Public (No Login Required)".May 15 2015, 9:52 PM