Python Package Index

Tracker: Bugs

5 I want to use an arbitrary OpenID provider - ID: 2867773

Last Update: Settings changed ( loewis )

Details:

The point of OpenID is to avoid any kind of centralization of
authentication. It seems that having a small suite of supported OpenID
providers kind of defeats the purpose.

For example, I run my own web server and I am my own OpenID provider. I
want to use my own OpenID to log into pypi but I can't because when I go to
claim an OpenID there are three buttons for three random providers and no
way to enter an arbitrary OpenID.

Submitted:

Eric M. Hopper ( omnifarious ) - 2009-09-27 01:02

Priority:

Status:

Closed

Resolution:

Fixed

Assigned:

Nobody/Anonymous

Category:

None

Group:

None

Visibility:

Public

Comments ( 15 )

Date: 2010-01-03 21:23 Sender: loewis This is now fixed; you should be able to use (nearly) arbitrary OpenID providers.
Date: 2009-11-06 21:21 Sender: omnifarious Well, that seems to me to be an interpretation of what an OpenID is that is at variance with how almost every other provider and client I've seen on the net. I respectfully request, in keeping with this viewpoint, that you remove myopenid as a supported provider. With myopenid you can set the email address it reports for your identity to absolutely anything you want to and it has no means of verifying that it's correct. So you accepting them while not accepting others for not providing a verified email address isn't a consistent application of policy.
Date: 2009-11-05 19:29 Sender: loewis a-barrett: I think the opposite is the case. One of the ideals of OpenID is that Relying Parties don't have to do all the user tracking themselves anymore, but can rely (hence the name) on the Identity Provide to provide (hence the name) identity (hence the name) information. If the provider doesn't provide that information, or I cannot rely on it, i.e. if I have to verify the information myself, it defeats the whole point of OpenID.
Date: 2009-11-05 13:53 Sender: a-barrett Seeing as it already possible to enter an arbitrary email address by using the "manual" registration, why is it necessary for the email address given by the OpenID provider to be pre-verified? As for providers not supplying an email address at all, can't your login process check for one dynamically? This current approach seems to undermine the ideals OpenID was designed to include.
Date: 2009-10-17 05:52 Sender: omnifarious Thanks, if I could now delete my two essentially duplicate comments after the now unhidden one, I would.
Date: 2009-10-16 10:20 Sender: loewis FWIW, the comment from "2009-09-27 10:19" was hidden; I now unhid it. Not sure why it was hidden or who did that, though (or who has the right to do so in the first place).
Date: 2009-10-16 10:18 Sender: loewis What earlier comment do you think was deleted? AFAICT, they are all still there (assuming you are talking about comments to this issue).
Date: 2009-10-16 03:56 Sender: omnifarious Someone deleted my earlier comment. And that's not OK. It wasn't abusive. In fact it was downright friendly and helpful, what gives? I knew something was fishy... Here it is again.... That sounds like a good plan for OpenID providers too then. If you know an OpenID provider and trust them to give you a correct email address (which I know for myOpenID will not necessarily be the case) then you can skip that step. Otherwise just do it just like for someone who creates a non-OpenID account. In my case, I already have an account on your system, and I just want to associate my OpenID with it, so the verified email address question doesn't even apply. You already have one for me, and it's already verified.
Date: 2009-10-16 03:52 Sender: omnifarious So, why don't you just treat people who log in with an OpenID the same way? All OpenID is is a way to avoid having to have 50,000 passwords, it's not meant to be a mechanism you can use to vet people for humanity or anything like that. If you have major problems with some provider or another, then drop them. Otherwise let anybody in.
Date: 2009-09-27 08:19 Sender: omnifarious That sounds like a good plan for OpenID providers too then. If you know an OpenID provider and trust them to give you a correct email address (which I know for myOpenID will not necessarily be the case) then you can skip that step. Otherwise just do it just like for someone who creates a non-OpenID account. In my case, I already have an account on your system, and I just want to associate my OpenID with it, so the verified email address question doesn't even apply. You already have one for me, and it's already verified.
Date: 2009-09-27 08:10 Sender: loewis When they sign up, I send an email to their address, and they'll have to click on a link to confirm reception of the email.
Date: 2009-09-27 07:55 Sender: omnifarious So, how do you verify the email addresses of people who don't have any OpenID?
Date: 2009-09-27 07:53 Sender: loewis I need the email address so I can contact people in case there are problems with their entries (which happens often), and to protect from spammers.
Date: 2009-09-27 07:50 Sender: omnifarious Well, why do you need a verified email address from the OpenID provider?
Date: 2009-09-27 07:30 Sender: loewis I cannot possibly accept your OpenID provider. I need a valid, verified email address from the OpenID provider, so that I don't have to validate the email address myself. As I don't know your OpenID provider, I don't trust it to provide me with a verified email address (if it provides me with an email address at all).

Attached File

Changes ( 3 )

Field	Old Value	Date	By
close_date	-	2010-01-03 21:23	loewis
resolution_id	None	2010-01-03 21:23	loewis
status_id	Open	2010-01-03 21:23	loewis

Python Package Index

Tracker: Bugs

Comments ( 15 )

Attached File

No Files Currently Attached

Changes ( 3 )

About SourceForge

Find Software

Develop Software

Community

Help